CVE-2026-34752
Prototype Pollution Crash in Haraka Mail Server Before
Publication date: 2026-04-02
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haraka_project | haraka | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34752 is a denial-of-service (DoS) vulnerability in the Haraka Node.js mail server versions up to 3.1.3. The issue occurs when an attacker sends an email with the header name '__proto__'. The email header parser stores headers in a plain JavaScript object and tries to initialize an array for each header key. However, accessing the '__proto__' header returns Object.prototype instead of undefined or null, causing the array initialization to be skipped. When the code attempts to push the header value into this non-array object, a TypeError is thrown, which crashes the Haraka worker process.
This crash is triggered by an uncaught exception that causes the process to exit. In single-process mode, the entire server goes down, while in cluster mode, the worker process restarts but active sessions are lost, causing service disruption.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service condition by crashing the Haraka mail server process when it receives an email with a specially crafted header '__proto__'.
- In single-process mode, the entire mail server crashes and becomes unavailable.
- In cluster mode, the worker process restarts but all active sessions are lost, leading to temporary service disruption.
There is no impact on confidentiality or integrity, but availability is severely affected, potentially causing downtime and disruption of email services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or unexpected termination of the Haraka worker process when it receives an email containing a header named '__proto__:'. A proof-of-concept exploit involves sending an SMTP DATA command with a header line containing '__proto__:' which triggers the crash.
A practical detection method is to attempt sending an email to the Haraka server with a header named '__proto__:' and observe if the server process crashes or restarts.
An example command sequence to test this (as demonstrated in the PoC) involves connecting to the SMTP server on localhost port 2525 and issuing SMTP commands including DATA with the problematic header.
- Use telnet or netcat to connect to the SMTP server: `telnet localhost 2525`
- Send SMTP commands manually, for example:
- HELO example.com
- MAIL FROM:<[email protected]>
- RCPT TO:<[email protected]>
- DATA
- __proto__: crash-test
- .
If the Haraka worker process crashes or the service becomes unavailable after this test, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Haraka email server package to version 3.1.4 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider implementing network-level protections such as filtering or blocking emails containing suspicious headers like '__proto__:' to prevent triggering the crash.
Additionally, running Haraka in cluster mode can reduce the impact of worker crashes by allowing the master process to restart workers, although this does not prevent service disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Haraka (CVE-2026-34752) causes a denial-of-service (DoS) condition by crashing the mail server process when an email with a specially crafted header is received. This impacts the availability of the email service but does not affect confidentiality or integrity of data.
Since the vulnerability does not lead to data breaches, unauthorized data access, or data modification, it does not directly compromise compliance with standards focused on data protection such as GDPR or HIPAA. However, the disruption of email service availability could indirectly affect compliance if email availability is a regulatory requirement or critical for timely communication of protected information.