Email Address Validation Flaw in Symfony Mailer Affects Multiple Versions
CVE-2026-45067
6.3MEDIUM
What is CVE-2026-45067?
The Symfony Mailer contains a vulnerability in its handling of email addresses within the Address component. This issue arises when the constructor incorrectly allows email addresses with line breaks in the local-part, which are RFC-5322 quoted strings containing raw bytes. When these addresses are processed, the embedded CRLF can be transformed into new mail headers or SMTP commands, potentially leading to address spoofing and unauthorized actions within email communications. A patch has been released to reject such invalid addresses, thereby securing the integrity of email header information.
Affected Version(s)
symfony < 5.4.52 < 5.4.52
symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40
symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
