{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34752", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.225Z", "datePublished": "2026-04-02T18:42:38.367Z", "dateUpdated": "2026-04-03T15:47:34.494Z"}, "containers": {"cna": {"title": "Haraka affected by DoS via `__proto__` email header", "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "lang": "en", "description": "CWE-248: Uncaught Exception", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3"}, {"name": "https://github.com/haraka/Haraka/releases/tag/v3.1.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/haraka/Haraka/releases/tag/v3.1.4"}], "affected": [{"vendor": "haraka", "product": "Haraka", "versions": [{"version": "< 3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:42:38.367Z"}, "descriptions": [{"lang": "en", "value": "Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4."}], "source": {"advisory": "GHSA-xph3-r2jf-4vp3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T15:47:22.511467Z", "id": "CVE-2026-34752", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:47:34.494Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34752", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T15:47:22.511467Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:47:28.929Z"}}], "cna": {"title": "Haraka affected by DoS via `__proto__` email header", "source": {"advisory": "GHSA-xph3-r2jf-4vp3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "haraka", "product": "Haraka", "versions": [{"status": "affected", "version": "< 3.1.4"}]}], "references": [{"url": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3", "name": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/haraka/Haraka/releases/tag/v3.1.4", "name": "https://github.com/haraka/Haraka/releases/tag/v3.1.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:42:38.367Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34752", "state": "PUBLISHED", "dateUpdated": "2026-04-03T15:47:34.494Z", "dateReserved": "2026-03-30T19:17:10.225Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:42:38.367Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haraka_project:haraka:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C9BE9F60-CFA3-4F1C-808B-626BA5DCE6D2", "versionEndExcluding": "3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4."}], "id": "CVE-2026-34752", "lastModified": "2026-04-03T19:50:42.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:33.517", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/haraka/Haraka/releases/tag/v3.1.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-248"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Haraka", "source": "cna", "vendor": "haraka"}, "product": "haraka", "vendor": "haraka"}], "analysis": {"en": {"generated_at": "2026-04-03T22:25:38.835363+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading Haraka to version 3.1.4 or later; this version removes the crash condition triggered by the __proto__ header."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Haraka by the Haraka Project. Versions prior to 3.1.4 are vulnerable; any deployment running 3.1.3 or older is at risk. The issue is specific to the mail server component and does not directly affect other Node.js applications outside of Haraka.", "description_and_impact": "Haraka, a Node.js mail server, crashes when an email containing a header named __proto__ is processed. This crash stops the worker process that handles incoming mail, causing the entire service to become unavailable for that worker. The vulnerability can be triggered by an attacker without any authentication, leading to a denial of service for users relying on the affected server.", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity, and the EPSS score of less than 1% shows a low likelihood of exploitation in the wild, which is reflected by the vulnerability not being listed in CISA\u2019s KEV catalog. Despite the low exploitation probability, the attack vector is straightforward: an attacker can send a crafted email to the server over the network. No privileged access or additional conditions are required, making the vulnerability trivial to exploit for anyone able to reach the server."}}}}, "created": "2026-04-03T07:31:39.817506+00:00", "updated": "2026-04-07T07:55:27.935148+00:00", "vendors": ["haraka", "haraka$PRODUCT$haraka"]}