diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
index dbfcb931aecd3..b143c899f9373 100644
--- a/src/Symfony/Component/Security/CHANGELOG.md
+++ b/src/Symfony/Component/Security/CHANGELOG.md
@@ -34,6 +34,7 @@ The CHANGELOG for version 5.4 and newer can be found in the security sub-package
  * Deprecate using `SessionTokenStorage` outside a request context, it will throw a `SessionNotFoundException` in Symfony 6.0
  * Randomize CSRF tokens to harden BREACH attacks
  * Deprecated voters that do not return a valid decision when calling the `vote` method.
+ * Flag `Serializable` implementation of `NullToken` as `@internal` and `@final`
 
 5.2.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/NullToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/NullToken.php
index 5c8a1c24b1e12..4393f0bdbbd7a 100644
--- a/src/Symfony/Component/Security/Core/Authentication/Token/NullToken.php
+++ b/src/Symfony/Component/Security/Core/Authentication/Token/NullToken.php
@@ -103,6 +103,9 @@ public function __unserialize(array $data): void
 
     /**
      * @return string
+     *
+     * @internal in 5.3
+     * @final in 5.3
      */
     public function serialize()
     {
@@ -111,6 +114,9 @@ public function serialize()
 
     /**
      * @return void
+     *
+     * @internal in 5.3
+     * @final in 5.3
      */
     public function unserialize($serialized)
     {