Vulnerabilities > CVE-2024-24754 - Unspecified vulnerability in Mnapoli Bref
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.
Vulnerable Configurations
References
- https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092
- https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092
- https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w
- https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w