The go-guerrilla SMTP daemon is a lightweight SMTP server implemented in Go, commonly used for mail relay services. In versions prior to 1.6.7, when the ProxyOn feature is enabled, the server accepts the PROXY protocol command multiple times during a single SMTP session. The PROXY protocol is designed to pass client connection information, such as the originating IP address, from a reverse proxy to the backend server. However, the protocol specification only supports a single initial PROXY header; any subsequent PROXY commands should be treated as part of the SMTP data exchange, not as proxy headers. Due to improper input validation (CWE-20), go-guerrilla incorrectly processes multiple PROXY commands, allowing an attacker to send additional PROXY commands with arbitrary data. This flaw enables an attacker to spoof the client IP address as seen by the SMTP server, potentially bypassing IP-based access controls, misleading logging and monitoring systems, or evading detection mechanisms that rely on accurate client IP information. The vulnerability does not affect confidentiality or availability directly but impacts integrity by allowing manipulation of client identity. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The issue was publicly disclosed and fixed in version 1.6.7 of go-guerrilla. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a risk primarily to the integrity of SMTP client identification. Organizations relying on go-guerrilla SMTP servers with ProxyOn enabled may have their IP-based access controls circumvented, allowing unauthorized senders to relay mail or bypass anti-spam and anti-abuse filters. Spoofed IP addresses can also corrupt email logs and monitoring data, complicating incident response and forensic investigations. This could lead to increased spam, phishing, or malware distribution through compromised or misconfigured mail infrastructure. While the vulnerability does not directly compromise data confidentiality or server availability, the trustworthiness of email source information is undermined, which is critical for compliance with European data protection and cybersecurity regulations. Organizations with strict email security policies or those operating in regulated sectors such as finance, healthcare, or government are particularly at risk. The lack of known exploits in the wild suggests limited immediate threat but does not preclude future exploitation attempts.

European organizations should immediately upgrade all go-guerrilla SMTP daemon instances to version 1.6.7 or later, where this vulnerability is patched. If upgrading is not immediately feasible, administrators should disable the ProxyOn feature to prevent processing of PROXY commands. Network-level controls should be implemented to restrict SMTP access to trusted reverse proxies only, minimizing exposure to untrusted clients. Additionally, organizations should audit their SMTP logs for suspicious multiple PROXY commands or anomalous IP address changes within sessions. Deploying intrusion detection systems (IDS) or email security gateways capable of detecting proxy protocol anomalies can help identify exploitation attempts. Reviewing and tightening IP-based access control lists and anti-spam rules to consider this vulnerability is advisable. Finally, organizations should ensure that their incident response teams are aware of this issue and prepared to investigate potential spoofing incidents.