CVE-2024-24752

Name of the Vulnerable Software and Affected Versions Bref versions prior to 2.1.13

Description The issue arises when Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface. In this scenario, the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed, and for each part that contains a file, it is extracted and saved in /tmp with a random filename starting with bref upload . However, the temporary files are not deleted after the request has been processed, allowing an attacker to fill the Lambda instance disk by performing multiple MultiPart requests containing files.

Recommendations For versions prior to 2.1.13, update to version 2.1.13 or later to resolve the issue. As a temporary workaround, consider implementing a mechanism to delete the temporary files after the request has been processed and the response has been generated. Restrict access to the /tmp directory to minimize the risk of exploitation. Avoid using the RequestHandlerInterface handler with the Event-Driven Function runtime until the issue is resolved.