CRLF Injection Affecting symfony/mime package, versions <5.4.52>=6.0.0-BETA1, <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SYMFONYMIME-16797270
- published22 May 2026
- disclosed20 May 2026
- creditFabian Fleischer
Introduced: 20 May 2026
NewCVE-2026-45070 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade symfony/mime to version 5.4.52, 6.4.40, 7.4.12, 8.0.12 or higher.
Overview
symfony/mime is a library to manipulate MIME messages.
Affected versions of this package are vulnerable to CRLF Injection via Non-Token Characters in Mime Parameter Names. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a Content-Disposition parameter name, can include \r\n or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message.