Description The Mailtrap mailer bridge ships a webhook request parser used to authenticate and decode the event callbacks Mailtrap POSTs to an application's webhook endpoint. Its "doParse(Request $request, #[\SensitiveParameter] string $secret)" method receives the configured webhook secret but never reads it; it decodes and returns the payload unconditionally, ignoring the "X-Mt-Signature" HMAC header Mailtrap sends with each request. As a result, an application that wires up the Mailtrap webhook endpoint accepts any POST to that URL, even when a signing secret is configured (the recommended setup). An attacker who knows the endpoint exists can submit forged event payloads, fake delivery / bounce / open / click / spam events, leading to suppression-list corruption, delivery-metrics fraud, etc. Resolution "MailtrapRequestParser::doParse()" now requires and verifies the "X-Mt-Signature" header, an HMAC-SHA256 of the raw request body keyed with the configured secret, before decoding the payload, using a constant-time comparison. When no secret is configured the behaviour is unchanged: signature verification remains opt-in, but it is now actually enforced once opted in. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/4e0467e4e182cf2e704a3d9e1bc1a6be65d52ab8) for branch 7.4. Credits Symfony would like to thank Himanshu Anand for reporting the issue and Alexandre Daubois providing the fix.