Moderate severityNVD Advisory· Published Feb 1, 2024· Updated Jun 17, 2025

Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2

CVE-2024-24753

Description

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bref 2.1.12 and earlier discards duplicate HTTP response headers when used with API Gateway v2, potentially weakening security policies like Content-Security-Policy.

Vulnerability

Description

Bref, a library enabling serverless PHP on AWS Lambda, fails to handle multiple HTTP response headers with the same key when used with API Gateway in the v2 format. Specifically, if a PHP application sets two headers with identical keys but different values, Bref retains only the last value, discarding the earlier ones [1]. This behavior is due to how the response is processed in HttpResponse.php [2].

Exploitation

An attacker can exploit this by tricking a legitimate application that sets multiple security-oriented headers (e.g., Content-Security-Policy) into relying on Bref's response processing. The PoC in [2] demonstrates that when multiple Content-Security-Policy headers are set, only the final header is reflected in the response, causing the earlier, more restrictive policy to be omitted. No authentication or special network position is required beyond what is needed to trigger a vulnerable endpoint.

Impact

If an application depends on multiple headers with the same key for security—such as layered Content-Security-Policy directives to restrict script sources and image sources separately—the loss of the earlier headers reduces the security posture. For example, in the PoC, the script-src 'none' directive is dropped, allowing JavaScript execution that the application intended to block [2].

Mitigation

The vulnerability is patched in Bref version 2.1.13 [1]. Users should upgrade immediately. There is no known workaround for earlier versions; updating is the only fix.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
bref/brefPackagist	< 2.1.13	2.1.13

Affected products

ghsa-coords
pkg:composer/bref/bref
Range: < 2.1.13
brefphp/brefv5
Range: < 2.1.13

Patches

f834027aaf88

Add support for multi-value response headers with API Gateway v2

https://github.com/brefphp/brefMatthieu NapoliJan 31, 2024via ghsa

commit

2 files changed · +6 −4

src/Event/Http/HttpResponse.php+1 −1 modified

@@ -72,7 +72,7 @@ public function toApiGatewayFormatV2(): array
             } else {
                 // Make sure the values are never arrays
                 // because API Gateway v2 does not support multi-value headers
-                $headers[$name] = is_array($values) ? end($values) : $values;
+                $headers[$name] = is_array($values) ? implode(', ', $values) : $values;
             }
         }

tests/Event/Http/HttpResponseTest.php+5 −3 modified

@@ -58,7 +58,7 @@ public function test headers are capitalized()
         ], $response->toApiGatewayFormatV2());
     }
 
-    public function test nested arrays in headers are flattened()
+    public function test multi value headers()
     {
         $response = new HttpResponse('', [
             'foo' => ['bar', 'baz'],
@@ -76,8 +76,10 @@ public function test nested arrays in headers are flattened()
             'cookies' => [],
             'isBase64Encoded' => false,
             'statusCode' => 200,
-            // The last value is kept (when multiheaders are not enabled)
-            'headers' => ['Foo' => 'baz'],
+            // Headers are joined with a comma
+            // See https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.2
+            // API Gateway v2 does not support multi-value headers
+            'headers' => ['Foo' => 'bar, baz'],
             'body' => '',
         ], $response->toApiGatewayFormatV2());
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-99f9-gv72-fw9rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-24753ghsaADVISORY
github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.phpghsaWEB
github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dcghsax_refsource_MISCWEB
github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9rghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000