Swiftmailer 5.2.1 has just been released and it contains a security fix.
Prior to 5.2.1, the sendmail transport (
Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the “From” header came from a non-trusted source and no “Return-Path” is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.
I’d like to thank Tim Starling who reported this security issue and provided a way to reproduce it very easily.
You can easily check if your project is vulnerable by uploading your
composer.lock file on security.sensiolabs.org.