Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.