CVE-2024-24754

Name of the Vulnerable Software and Affected Versions Bref versions prior to 2.1.13

Description The vulnerability occurs when Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface. In this scenario, the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the $files or $parsedBody arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with an open square bracket ([) are used. This difference in body parsing might lead to vulnerabilities and/or undefined behaviors based on the application logic.

Recommendations For versions prior to 2.1.13, update to version 2.1.13 or later to patch the vulnerability. As a temporary workaround, consider using the PHP function parse str to parse the body parameters and mimic the plain PHP behavior. Restrict access to the vulnerable RequestHandlerInterface to minimize the risk of exploitation until the issue is resolved.