CVE-2024-24752 Information
Description
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface then the Lambda event is converted to a PSR7 object. During the conversion process if the request is a MultiPart each part is parsed and for each which contains a file it is extracted and saved in /tmp with a random filename starting with bref_upload_. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.
Reference
https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5 https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
Share on: