Skip to main content

Symfony Mime CVE-2026-45067

| EUVDEUVD-2026-44322 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-27 https://github.com/symfony/symfony GHSA-qpmx-3rfj-7rhv
6.3
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 18:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
May 27, 2026 - 23:06 vuln.today
Analysis Generated
May 27, 2026 - 23:06 vuln.today

DescriptionCVE.org

Description

Symfony\Component\Mime\Address is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.

The constructor accepts email addresses whose local-part (the part before @) is an RFC-5322 *quoted string* containing raw \r\n bytes, e.g. "x\r\nBcc: attacker@evil"@example.com. The stored address is later emitted verbatim into (1) the rendered message headers and (2) SmtpTransport's MAIL FROM:<...> / RCPT TO:<...> protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.

Resolution

The Address constructor now rejects addresses containing line breaks.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Email-header and SMTP command injection (CWE-93) in Symfony's Mime component (symfony/mime, also shipped in the symfony/symfony monolith) lets an attacker who controls any address value smuggle CRLF sequences past a trusted validation boundary. The Address value-object - used for every Mailer to/cc/bcc/from/reply-to address - accepts an RFC-5322 quoted-string local-part containing raw carriage-return/line-feed bytes, which is later emitted verbatim into rendered message headers and into SmtpTransport's MAIL FROM/RCPT TO lines, allowing injection of new headers (e.g. an unauthorized Bcc) or new SMTP commands. It affects symfony/mime before 5.4.52, 6.4.40, and 7.4.12; there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Technical ContextAI

The vulnerable code is Symfony\Component\Mime\Address, the value object through which every Symfony Mailer address flows. Its constructor is documented as validating input and throwing on invalid addresses, so developers treat it as a security boundary. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences): the constructor permits an RFC-5322 quoted-string local-part - the segment before the @, e.g. "x\r\nBcc: attacker@evil"@example.com - that contains literal \r\n bytes. Because Address never strips or rejects these line breaks, the stored value is rendered verbatim in two sinks: (1) the assembled MIME message headers, where the CRLF starts a new header line, and (2) SmtpTransport's MAIL FROM:<...> and RCPT TO:<...> protocol lines, where the CRLF starts a new SMTP command. The affected distribution units per CPE/composer metadata are pkg:composer/symfony_mime (the standalone component) and pkg:composer/symfony_symfony (the full framework that bundles it).

RemediationAI

Apply the vendor-released patch by upgrading symfony/mime (or symfony/symfony) to the fixed release for your branch: 5.4.52 on the 5.4 line, 6.4.40 on the 6.x line, or 7.4.12 on the 7.x line, e.g. composer require symfony/mime:^7.4.12 (or the equivalent for your major version); these versions add a constructor check that rejects any address containing line breaks. The underlying fix is commit dc2dbd29211eb4ddc451373fa1374fb926e94604. If you cannot upgrade immediately, the targeted compensating control is to reject or strip \r and \n from any user-controlled value before it is passed into Symfony\Component\Mime\Address (or into Mailer to/cc/bcc/from/reply-to setters) - for example validate addresses against a strict pattern that disallows quoted-string local-parts and control characters; the trade-off is that overly strict filtering may reject rare-but-legitimate quoted local-parts, and the control must be applied at every call site that handles untrusted input, which is error-prone compared to the library fix. Full details: https://github.com/symfony/symfony/security/advisories/GHSA-qpmx-3rfj-7rhv.

Share

CVE-2026-45067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy