Description
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Haraka, a Node.js mail server, crashes when an email containing a header named __proto__ is processed. This crash stops the worker process that handles incoming mail, causing the entire service to become unavailable for that worker. The vulnerability can be triggered by an attacker without any authentication, leading to a denial of service for users relying on the affected server.

Affected Systems

The affected product is Haraka by the Haraka Project. Versions prior to 3.1.4 are vulnerable; any deployment running 3.1.3 or older is at risk. The issue is specific to the mail server component and does not directly affect other Node.js applications outside of Haraka.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score of less than 1% shows a low likelihood of exploitation in the wild, which is reflected by the vulnerability not being listed in CISA’s KEV catalog. Despite the low exploitation probability, the attack vector is straightforward: an attacker can send a crafted email to the server over the network. No privileged access or additional conditions are required, making the vulnerability trivial to exploit for anyone able to reach the server.

Generated by OpenCVE AI on April 3, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Haraka to version 3.1.4 or later; this version removes the crash condition triggered by the __proto__ header.

Generated by OpenCVE AI on April 3, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xph3-r2jf-4vp3 Haraka affected by DoS via `__proto__` email header
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Haraka Project
Haraka Project haraka
CPEs cpe:2.3:a:haraka_project:haraka:*:*:*:*:*:node.js:*:*
Vendors & Products Haraka Project
Haraka Project haraka
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Haraka
Haraka haraka
Vendors & Products Haraka
Haraka haraka

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
Title Haraka affected by DoS via `__proto__` email header
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Haraka Haraka
Haraka Project Haraka
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T15:47:34.494Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34752

cve-icon Vulnrichment

Updated: 2026-04-03T15:47:28.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:21:33.517

Modified: 2026-04-03T19:50:42.600

Link: CVE-2026-34752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:27Z

Weaknesses