# REPRO-2026-00128: Haraka Mail Server DoS via __proto__ prototype pollution in email headers

## Summary
Status: published
Severity: high
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00128

CVE: CVE-2026-34752

## Package
Name: npm/Haraka
Ecosystem: github
Affected: < 3.1.4 (last known affected <= 3.1.3)
Fixed: Unknown

## Root Cause
# Root Cause Analysis: CVE-2026-34752

## Summary

CVE-2026-34752 is a Denial of Service vulnerability in the haraka-email-message library (v1.2.0 and earlier). The vulnerability occurs in the `Header.parse()` method when processing email headers with the key `__proto__`. Due to unsafe property assignment using `this.headers[key]`, accessing `this.headers['__proto__']` returns `Object.prototype` instead of a normal array. This causes the subsequent `this.headers[key][method](value)` call (where method is "push") to fail with a TypeError, as `Object.prototype.push` is not a function. This uncaught exception can crash the entire application.

## Impact

- **Package**: haraka-email-message
- **Affected Versions**: 1.2.0 and earlier (bundled with Haraka@3.1.3)
- **Fixed Versions**: 1.3.2 (latest as of March 2026)
- **Risk Level**: High
- **Consequences**: 
  - Application crash/DoS via prototype pollution
  - Uncaught TypeError terminates Node.js process
  - In Haraka SMTP server context: single-process mode causes full server crash, cluster mode kills worker processes

## Root Cause

The vulnerability exists in `lib/header.js` (in v1.2.0 bundled in `index.js`) in the `_add_header()` function at lines 150-151:

```javascript
_add_header (key, value, method) {
    this.headers[key] = this.headers[key] || [];
    this.headers[key][method](value);
}
```

When `key` is `__proto__`:
1. `this.headers['__proto__']` returns `Object.prototype` (the object's prototype chain)
2. `Object.prototype` is truthy, so the `|| []` short-circuit is not executed
3. `this.headers['__proto__']` evaluates to `Object.prototype`
4. `Object.prototype['push'](value)` is called, but `Object.prototype.push` is `undefined`/not a function
5. TypeError is thrown: "this.headers[key][method] is not a function"

The `Header.parse()` method calls `_add_header(key, val, "push")` for each header line parsed, making it the attack vector for converting malicious email documents into internal structures.

**Fix**: The patched version uses `Object.create(null)` for the headers object or validates/sanitizes header keys to prevent prototype pollution.

## Reproduction Steps

The reproduction script `repro/reproduction_steps.sh`:

1. Installs the vulnerable haraka-email-message@1.2.0 package
2. Creates a Node.js harness that imports the library
3. First tests normal headers to confirm baseline functionality
4. Then tests malicious headers containing `__proto__: crash`
5. Confirms the TypeError is thrown as expected

**Execution**:
```bash
./repro/reproduction_steps.sh
```

**Expected Evidence**:
- Normal headers parse successfully
- Malicious headers with `__proto__` key cause TypeError: "this.headers[key][method] is not a function"
- Crash evidence saved to `artifacts/crash_evidence.json`

## Evidence

**Log Files**:
- `logs/npm_install.log` - Package installation log
- `logs/exploit.log` - Exploit execution log showing the crash

**Key Excerpt from exploit.log**:
```
[+] Test 2: Parsing malicious headers with __proto__ key...
[+] This triggers the prototype pollution vulnerability in _add_header()
[+] CRASH CONFIRMED!
[+] Error type: TypeError
[+] Error message: this.headers[key][method] is not a function
[+] This matches the expected vulnerability behavior
```

**Crash Evidence** (artifacts/crash_evidence.json):
```json
{
  "vulnerability": "CVE-2026-34752",
  "library": "haraka-email-message",
  "version": "1.2.0",
  "entrypoint": "Header.parse()",
  "trigger": "__proto__ header key",
  "error": {
    "type": "TypeError",
    "message": "this.headers[key][method] is not a function"
  }
}
```

**Environment**:
- Node.js version: v18.x (from container)
- Library version: haraka-email-message@1.2.0
- OS: Linux (container environment)

## Recommendations / Next Steps

**Fix Approach**:
1. Use `Object.create(null)` instead of `{}` for the `this.headers` object to create a prototype-less object
2. Sanitize all header keys to reject or escape `__proto__`, `constructor`, and `prototype` keys
3. Use a Map instead of plain objects for header storage

**Upgrade Guidance**:
- Upgrade to haraka-email-message@1.3.2 or later
- If using Haraka SMTP server, upgrade to v3.1.4 or later which includes the patched library

**Testing Recommendations**:
1. Add unit tests for prototype pollution attempts in header parsing
2. Test with malicious header keys: `__proto__`, `constructor`, `prototype`
3. Implement input validation for all user-controlled data that becomes object keys

## Additional Notes

**Idempotency**: The reproduction script is fully idempotent. It creates a fresh test directory `/tmp/haraka_lib_test` each run and cleans up after itself.

**Edge Cases Tested**:
- Normal email headers: Parse successfully
- Malicious `__proto__` header: Confirmed crash

**Limitations**:
- The reproduction demonstrates the library-level vulnerability in isolation
- In a real Haraka SMTP server deployment, the exploit would require sending an actual email via SMTP with the malicious header
- The impact in production depends on process configuration (single vs cluster mode)


## Reproduction Details
Reproduced: 2026-04-04T12:49:04.556Z
Duration: 1025 seconds
Tool calls: 155
Turns: Unknown
Handoffs: 3


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00128

    pruva-verify CVE-2026-34752

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00128&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00128/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34752
- Source: https://github.com/advisories/GHSA-xph3-r2jf-4vp3

## Artifacts
- repro/rca_report.md (analysis, 5095 bytes)
- repro/reproduction_steps.sh (reproduction_script, 5088 bytes)
- vuln_variant/rca_report.md (analysis, 6318 bytes)
- vuln_variant/reproduction_steps.sh (reproduction_script, 12117 bytes)
- coding/proposed_fix.diff (patch, 926 bytes)
- bundle/ticket.json (other, 3470 bytes)
- bundle/AGENTS.repro.md (documentation, 686 bytes)
- bundle/ticket.md (ticket, 2928 bytes)
- repro/runtime_manifest.json (other, 554 bytes)
- repro/validation_verdict.json (other, 661 bytes)
- logs/npm_install.log (log, 138 bytes)
- logs/exploit.log (log, 564 bytes)
- vuln_variant/variant_manifest.json (other, 2034 bytes)
- vuln_variant/source_identity.json (other, 778 bytes)
- vuln_variant/patch_analysis.md (documentation, 3360 bytes)
- vuln_variant/validation_verdict.json (other, 1999 bytes)
- logs/variant_test.log (log, 7446 bytes)
- logs/npm_vuln.log (log, 414 bytes)
- logs/npm_fixed.log (log, 429 bytes)
- coding/verify_fix.log (log, 666 bytes)
- coding/verify_fix.sh (other, 2826 bytes)
- coding/summary_report.md (documentation, 2251 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00128
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00128/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00128

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev