Executive Summary

CVE-2026-34752 is a denial-of-service (DoS) vulnerability in the Haraka Node.js mail server versions up to 3.1.3. The issue occurs when an attacker sends an email with the header name '__proto__'. The email header parser stores headers in a plain JavaScript object and tries to initialize an array for each header key. However, accessing the '__proto__' header returns Object.prototype instead of undefined or null, causing the array initialization to be skipped. When the code attempts to push the header value into this non-array object, a TypeError is thrown, which crashes the Haraka worker process.

This crash is triggered by an uncaught exception that causes the process to exit. In single-process mode, the entire server goes down, while in cluster mode, the worker process restarts but active sessions are lost, causing service disruption.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service condition by crashing the Haraka mail server process when it receives an email with a specially crafted header '__proto__'.

• In single-process mode, the entire mail server crashes and becomes unavailable.
• In cluster mode, the worker process restarts but all active sessions are lost, leading to temporary service disruption.

There is no impact on confidentiality or integrity, but availability is severely affected, potentially causing downtime and disruption of email services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or unexpected termination of the Haraka worker process when it receives an email containing a header named '__proto__:'. A proof-of-concept exploit involves sending an SMTP DATA command with a header line containing '__proto__:' which triggers the crash.

A practical detection method is to attempt sending an email to the Haraka server with a header named '__proto__:' and observe if the server process crashes or restarts.

An example command sequence to test this (as demonstrated in the PoC) involves connecting to the SMTP server on localhost port 2525 and issuing SMTP commands including DATA with the problematic header.

• Use telnet or netcat to connect to the SMTP server: `telnet localhost 2525`
• Send SMTP commands manually, for example:
• HELO example.com
• MAIL FROM:<[email protected]>
• RCPT TO:<[email protected]>
• DATA
• __proto__: crash-test
• .

If the Haraka worker process crashes or the service becomes unavailable after this test, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Haraka email server package to version 3.1.4 or later, where this vulnerability has been patched.

Until the upgrade can be performed, consider implementing network-level protections such as filtering or blocking emails containing suspicious headers like '__proto__:' to prevent triggering the crash.

Additionally, running Haraka in cluster mode can reduce the impact of worker crashes by allowing the master process to restart workers, although this does not prevent service disruption.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Haraka (CVE-2026-34752) causes a denial-of-service (DoS) condition by crashing the mail server process when an email with a specially crafted header is received. This impacts the availability of the email service but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to data breaches, unauthorized data access, or data modification, it does not directly compromise compliance with standards focused on data protection such as GDPR or HIPAA. However, the disruption of email service availability could indirectly affect compliance if email availability is a regulatory requirement or critical for timely communication of protected information.

Useful 0 Not Useful 0