Affected versions
Symfony versions <5.4.52, >=6, <6.4.40, >=7, <7.4.12, >=8, <8.0.12 of the Symfony MIME component are affected by this security issue.
The issue has been fixed in Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12.
Description
Symfony (and the related parameter handling reachable from Symfony) is responsible for serializing structured headers such as Content-Type and Content-Disposition, which carry key=value parameters (e.g. Content-Disposition: attachment; filename="x").
RFC 2045 / RFC 5322 require parameter names to be tokens: a restricted ASCII subset that excludes whitespace, CR/LF, and the tspecials set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header.
A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a Content-Disposition parameter name, can include \r\n or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot.
Resolution
ParameterizedHeader now rejects parameter names that contain bytes outside the RFC token character class.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.