CVE-2026-34752

Name of the Vulnerable Software and Affected Versions Haraka versions prior to 3.1.4

Description Haraka, a Node.js mail server, is susceptible to a crash when processing emails containing the ' proto ': header. This occurs because the header parser stores headers in a plain object, and when the key is ' proto ', it attempts to call the 'push' function on the Object prototype, resulting in a TypeError. In single-process mode, this crash terminates the entire server. In cluster mode, the master process restarts the worker, leading to session loss.

Recommendations Update Haraka to version 3.1.4 or later.