# Root Cause Analysis: CVE-2026-34752 ## Summary CVE-2026-34752 is a Denial of Service vulnerability in the haraka-email-message library (v1.2.0 and earlier). The vulnerability occurs in the `Header.parse()` method when processing email headers with the key `__proto__`. Due to unsafe property assignment using `this.headers[key]`, accessing `this.headers['__proto__']` returns `Object.prototype` instead of a normal array. This causes the subsequent `this.headers[key][method](value)` call (where method is "push") to fail with a TypeError, as `Object.prototype.push` is not a function. This uncaught exception can crash the entire application. ## Impact - **Package**: haraka-email-message - **Affected Versions**: 1.2.0 and earlier (bundled with Haraka@3.1.3) - **Fixed Versions**: 1.3.2 (latest as of March 2026) - **Risk Level**: High - **Consequences**: - Application crash/DoS via prototype pollution - Uncaught TypeError terminates Node.js process - In Haraka SMTP server context: single-process mode causes full server crash, cluster mode kills worker processes ## Root Cause The vulnerability exists in `lib/header.js` (in v1.2.0 bundled in `index.js`) in the `_add_header()` function at lines 150-151: ```javascript _add_header (key, value, method) { this.headers[key] = this.headers[key] || []; this.headers[key][method](value); } ``` When `key` is `__proto__`: 1. `this.headers['__proto__']` returns `Object.prototype` (the object's prototype chain) 2. `Object.prototype` is truthy, so the `|| []` short-circuit is not executed 3. `this.headers['__proto__']` evaluates to `Object.prototype` 4. `Object.prototype['push'](value)` is called, but `Object.prototype.push` is `undefined`/not a function 5. TypeError is thrown: "this.headers[key][method] is not a function" The `Header.parse()` method calls `_add_header(key, val, "push")` for each header line parsed, making it the attack vector for converting malicious email documents into internal structures. **Fix**: The patched version uses `Object.create(null)` for the headers object or validates/sanitizes header keys to prevent prototype pollution. ## Reproduction Steps The reproduction script `repro/reproduction_steps.sh`: 1. Installs the vulnerable haraka-email-message@1.2.0 package 2. Creates a Node.js harness that imports the library 3. First tests normal headers to confirm baseline functionality 4. Then tests malicious headers containing `__proto__: crash` 5. Confirms the TypeError is thrown as expected **Execution**: ```bash ./repro/reproduction_steps.sh ``` **Expected Evidence**: - Normal headers parse successfully - Malicious headers with `__proto__` key cause TypeError: "this.headers[key][method] is not a function" - Crash evidence saved to `artifacts/crash_evidence.json` ## Evidence **Log Files**: - `logs/npm_install.log` - Package installation log - `logs/exploit.log` - Exploit execution log showing the crash **Key Excerpt from exploit.log**: ``` [+] Test 2: Parsing malicious headers with __proto__ key... [+] This triggers the prototype pollution vulnerability in _add_header() [+] CRASH CONFIRMED! [+] Error type: TypeError [+] Error message: this.headers[key][method] is not a function [+] This matches the expected vulnerability behavior ``` **Crash Evidence** (artifacts/crash_evidence.json): ```json { "vulnerability": "CVE-2026-34752", "library": "haraka-email-message", "version": "1.2.0", "entrypoint": "Header.parse()", "trigger": "__proto__ header key", "error": { "type": "TypeError", "message": "this.headers[key][method] is not a function" } } ``` **Environment**: - Node.js version: v18.x (from container) - Library version: haraka-email-message@1.2.0 - OS: Linux (container environment) ## Recommendations / Next Steps **Fix Approach**: 1. Use `Object.create(null)` instead of `{}` for the `this.headers` object to create a prototype-less object 2. Sanitize all header keys to reject or escape `__proto__`, `constructor`, and `prototype` keys 3. Use a Map instead of plain objects for header storage **Upgrade Guidance**: - Upgrade to haraka-email-message@1.3.2 or later - If using Haraka SMTP server, upgrade to v3.1.4 or later which includes the patched library **Testing Recommendations**: 1. Add unit tests for prototype pollution attempts in header parsing 2. Test with malicious header keys: `__proto__`, `constructor`, `prototype` 3. Implement input validation for all user-controlled data that becomes object keys ## Additional Notes **Idempotency**: The reproduction script is fully idempotent. It creates a fresh test directory `/tmp/haraka_lib_test` each run and cleans up after itself. **Edge Cases Tested**: - Normal email headers: Parse successfully - Malicious `__proto__` header: Confirmed crash **Limitations**: - The reproduction demonstrates the library-level vulnerability in isolation - In a real Haraka SMTP server deployment, the exploit would require sending an actual email via SMTP with the malicious header - The impact in production depends on process configuration (single vs cluster mode)