CVE-2024-24753

Name of the Vulnerable Software and Affected Versions Bref versions prior to 2.1.13

Description The issue arises when Bref is used in combination with an API Gateway with the v2 format, as it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values, only the latest one is kept. This can lower application security if an application relies on multiple headers with the same key being set for security reasons. For example, if an application sets multiple Content-Security-Policy headers, Bref would just reflect the latest one.

Recommendations For versions prior to 2.1.13, update to version 2.1.13 to resolve the issue. As a temporary workaround, consider concatenating all multiple value headers' values with a comma (,) as separator and return a single header with all the values to the API Gateway.