CVE-2024-29186

Name of the Vulnerable Software and Affected Versions Bref versions prior to 2.1.17

Description The issue arises when Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface. During the conversion of a Lambda event to a PSR7 object, if the request is a MultiPart, each part is parsed, and the Content-Type header of each part is read using the Riverline/multipart-parser library. This library performs slow multi-byte string operations on the header value, specifically using the mb convert encoding function with parameters read from the header value. An attacker could send crafted requests to force the server into long operations, resulting in a long billed duration. The attack requires the Lambda to use the Event-Driven Function runtime, implement at least an endpoint accepting POST requests, and the attacker can send requests up to 6MB long. If the Lambda uses a PHP runtime <= php-82, the impact is higher.

Recommendations For Bref versions prior to 2.1.17, upgrade to version 2.1.17 or later to resolve the issue. As a temporary workaround, consider performing additional validation on the headers parsed via the StreamedPart::parseHeaderContent function to allow only legitimate headers with a reasonable length. Restrict access to the StreamedPart::parseHeaderContent function until a patch is available. Avoid using the Content-Type header in the affected API endpoint until the issue is resolved.