Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/e62ea217f8b4ca8ae922ad0f949e0c4dc1f9b613) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.