Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Description
Symfony\Component\Mime\Address is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.
The constructor accepts email addresses whose local-part (the part before @) is an RFC-5322 *quoted string* containing raw \r\n bytes, e.g. "x\r\nBcc: attacker@evil"@example.com. The stored address is later emitted verbatim into (1) the rendered message headers and (2) SmtpTransport's MAIL FROM:<...> / RCPT TO:<...> protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.
Resolution
The Address constructor now rejects addresses containing line breaks.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
AnalysisAI
Email-header and SMTP command injection (CWE-93) in Symfony's Mime component (symfony/mime, also shipped in the symfony/symfony monolith) lets an attacker who controls any address value smuggle CRLF sequences past a trusted validation boundary. The Address value-object - used for every Mailer to/cc/bcc/from/reply-to address - accepts an RFC-5322 quoted-string local-part containing raw carriage-return/line-feed bytes, which is later emitted verbatim into rendered message headers and into SmtpTransport's MAIL FROM/RCPT TO lines, allowing injection of new headers (e.g. an unauthorized Bcc) or new SMTP commands. It affects symfony/mime before 5.4.52, 6.4.40, and 7.4.12; there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Technical ContextAI
The vulnerable code is Symfony\Component\Mime\Address, the value object through which every Symfony Mailer address flows. Its constructor is documented as validating input and throwing on invalid addresses, so developers treat it as a security boundary. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences): the constructor permits an RFC-5322 quoted-string local-part - the segment before the @, e.g. "x\r\nBcc: attacker@evil"@example.com - that contains literal \r\n bytes. Because Address never strips or rejects these line breaks, the stored value is rendered verbatim in two sinks: (1) the assembled MIME message headers, where the CRLF starts a new header line, and (2) SmtpTransport's MAIL FROM:<...> and RCPT TO:<...> protocol lines, where the CRLF starts a new SMTP command. The affected distribution units per CPE/composer metadata are pkg:composer/symfony_mime (the standalone component) and pkg:composer/symfony_symfony (the full framework that bundles it).
RemediationAI
Apply the vendor-released patch by upgrading symfony/mime (or symfony/symfony) to the fixed release for your branch: 5.4.52 on the 5.4 line, 6.4.40 on the 6.x line, or 7.4.12 on the 7.x line, e.g. composer require symfony/mime:^7.4.12 (or the equivalent for your major version); these versions add a constructor check that rejects any address containing line breaks. The underlying fix is commit dc2dbd29211eb4ddc451373fa1374fb926e94604. If you cannot upgrade immediately, the targeted compensating control is to reject or strip \r and \n from any user-controlled value before it is passed into Symfony\Component\Mime\Address (or into Mailer to/cc/bcc/from/reply-to setters) - for example validate addresses against a strict pattern that disallows quoted-string local-parts and control characters; the trade-off is that overly strict filtering may reject rare-but-legitimate quoted local-parts, and the control must be applied at every call site that handles untrusted input, which is error-prone compared to the library fix. Full details: https://github.com/symfony/symfony/security/advisories/GHSA-qpmx-3rfj-7rhv.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44322
GHSA-qpmx-3rfj-7rhv