CRLF Injection Affecting symfony/mime package, versions <5.4.52>=6.0.0-BETA1, <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SYMFONYMIME-16797290
- published22 May 2026
- disclosed20 May 2026
- creditClaude Mythos Preview
Introduced: 20 May 2026
NewCVE-2026-45067 (opens in a new tab)How to fix?
Upgrade symfony/mime to version 5.4.52, 6.4.40, 7.4.12, 8.0.12 or higher.
Overview
symfony/mime is a library to manipulate MIME messages.
Affected versions of this package are vulnerable to CRLF Injection due to improperly validating user input (specifically carriage return and line feed bytes) within the Symfony\Component\Mime\Address constructor. The constructor accepts email addresses whose local-part (the part before @) is an RFC-5322 quoted string containing raw \r\n bytes, e.g. "x\r\nBcc: attacker@evil"@example.com. The stored address is later emitted verbatim into the rendered message headers and SmtpTransport's MAIL FROM:<...> / RCPT TO:<...> protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.