Security Fix: Swiftmailer 5.2.1 released

Swiftmailer 5.2.1 has just been released and it contains a security fix.

Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the “From” header came from a non-trusted source and no “Return-Path” is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.

I’d like to thank Tim Starling who reported this security issue and provided a way to reproduce it very easily.

You can easily check if your project is vulnerable by uploading your composer.lock file on security.sensiolabs.org.