Description
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Haraka servers that receive an email with a header named __proto__ crash the worker process, leading to a denial of service. The flaw arises from improper handling of the header name during parsing. According to CWE-248, this is an off‑by‑one or similar error that causes the process to terminate, temporarily disabling the mail server until it is restarted. The impact is a loss of availability for all mail that the server receives until a restart occurs.

Affected Systems

All installations of the Haraka mail server prior to version 3.1.4 are affected. The vendor is Haraka and the product is Haraka, running on Node.js. Any deployment that uses version 3.1.3 or earlier will be vulnerable.

Risk and Exploitability

An attacker can exploit the issue simply by sending an email containing a __proto__ header, a normal part of SMTP traffic. The CVSS score of 8.7 indicates high severity, and because no special privileges are needed the likelihood of exploitation is significant. The vulnerability is not currently listed in the KEV catalog, but the attack vector is remote over the network and would be easily triggered by any mail destined for the server.

Generated by OpenCVE AI on April 2, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Haraka to version 3.1.4 or later
  • If an upgrade cannot be performed immediately, monitor inbound email traffic for headers named __proto__ and quarantine or discard such messages
  • Configure the mail server’s firewall or SMTP gateway to reject messages that contain the __proto__ header as a temporary mitigation

Generated by OpenCVE AI on April 2, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xph3-r2jf-4vp3 Haraka affected by DoS via `__proto__` email header
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Haraka Project
Haraka Project haraka
CPEs cpe:2.3:a:haraka_project:haraka:*:*:*:*:*:node.js:*:*
Vendors & Products Haraka Project
Haraka Project haraka
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Haraka
Haraka haraka
Vendors & Products Haraka
Haraka haraka

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
Title Haraka affected by DoS via `__proto__` email header
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Haraka Haraka
Haraka Project Haraka
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:47:34.494Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34752

cve-icon Vulnrichment

Updated: 2026-04-03T15:47:28.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:21:33.517

Modified: 2026-04-03T19:50:42.600

Link: CVE-2026-34752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:36Z

Weaknesses