Haraka
Moderate fix1 remedy
cpe:2.3:a:haraka_project:haraka:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- <= 3.1.3
Haraka Email Server Denial-of-Service Vulnerability via Proto Header
Vulnerability
Patched
A denial-of-service vulnerability has been identified in Haraka, a Node.js mail server, in versions prior to 3.1.4. The issue arises when an email is sent with '__proto__:' as a header name, causing the Haraka worker process to crash. In single-process mode, this failure brings down the entire server. In cluster mode, while the master restarts the worker, all active sessions are lost.
Impact
Exploitation of this vulnerability leads to a crash of the Haraka worker process. In single-process mode, the entire server goes down. In cluster mode, the master restarts the worker, but all sessions are lost.
Reproduction
The vulnerability can be reproduced by sending an email through the Haraka server with '__proto__:' included as a header. This can be done using a Python script that connects to the server via SMTP, sends the email, and includes the crash payload in the headers. The server will then crash, demonstrating the denial-of-service vulnerability.
Remediation
Users can upgrade to Haraka version 3.1.4 or later, where this vulnerability has been patched.
Added: Apr 2, 2026, 8:23 PM
Updated: Apr 2, 2026, 8:23 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
9.7remediation
7.7relevance
5.1threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.