VYPR
← All advisories
Low severityNVD Advisory· Published Feb 1, 2024· Updated May 15, 2025

Bref Body Parsing Inconsistency in Event-Driven Functions

CVE-2024-24754

Description

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the $files or $parsedBody arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bref serverless PHP on AWS Lambda incorrectly parses multipart form data with keys ending in '[' (open bracket), causing inconsistencies versus PHP's native parsing that can lead to application-specific vulnerabilities.

Vulnerability

Overview

CVE-2024-24754 affects Bref, a framework enabling serverless PHP on AWS Lambda. When using the Event-Driven Function runtime with a RequestHandlerInterface handler, Lambda events are converted to PSR-7 objects. The conversion process uses the parseKeyAndInsertValueInArray method to parse multipart form data and populate the $files and $parsedBody arrays [2]. This method incorrectly handles keys ending with an open square bracket ([), producing a different result compared to PHP's native parse_str or multipart parsing [1][2].

Attack

Surface and Exploitation

The vulnerability is specifically triggered during multipart request parsing when a part name contains a trailing [ (e.g., key0[key1[]). The custom parsing logic splits on [ and processes each segment, but it does not replicate PHP's handling of such keys, leading to malformed array structures [2][4]. An attacker can craft a multipart request with specially named form fields to exploit this inconsistency. No authentication is required beyond the ability to send requests to an affected Lambda function using the Bref Event-Driven runtime [1].

Impact

Depending on the application's logic and how parsed input is used (e.g., in database queries, file operations, or authorization checks), this parsing discrepancy can result in undefined behavior or security vulnerabilities, such as parameter smuggling or bypassing input validation [1][2]. The impact is application-specific, but the core issue is a deviation from expected PHP behavior that could be leveraged to manipulate application state.

Mitigation

The vulnerability is patched in Bref version 2.1.13 [1][2]. Users of affected versions (<2.1.13) should upgrade immediately. The advisory does not mention workarounds or it being listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2024-24754
  2. Body Parsing Inconsistency in Event-Driven Functions
  3. bref/src/Event/Http/Psr7Bridge.php at 2.1.12 · brefphp/bref

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bref/brefPackagist
< 2.1.132.1.13

Affected products

2

Patches

1
c77d9f5abf02

Cleanup uploaded files for PSR-15 handlers

https://github.com/brefphp/brefMatthieu NapoliJan 29, 2024via ghsa
commit
2 files changed · +20 1
  • src/Event/Http/Psr15Handler.php+2 0 modified
    @@ -16,6 +16,8 @@ public function __construct(RequestHandlerInterface $psr15Handler)
 
     public function handleRequest(HttpRequestEvent $event, Context $context): HttpResponse
     {
+        Psr7Bridge::cleanupUploadedFiles();
+
         $request = Psr7Bridge::convertRequest($event, $context);
 
         $response = $this->psr15Handler->handle($request);
  • src/Event/Http/Psr7Bridge.php+18 1 modified
    @@ -18,6 +18,8 @@
  */
 final class Psr7Bridge
 {
+    private const UPLOADED_FILES_PREFIX = 'bref_upload_';
+
     /**
      * Create a PSR-7 server request from an AWS Lambda HTTP event.
      */
@@ -106,7 +108,7 @@ private static function parseBodyAndUploadedFiles(HttpRequestEvent $event): arra
                     $parsedBody = [];
                     foreach ($document->getParts() as $part) {
                         if ($part->isFile()) {
-                            $tmpPath = tempnam(sys_get_temp_dir(), 'bref_upload_');
+                            $tmpPath = tempnam(sys_get_temp_dir(), self::UPLOADED_FILES_PREFIX);
                             if ($tmpPath === false) {
                                 throw new RuntimeException('Unable to create a temporary directory');
                             }
@@ -166,4 +168,19 @@ private static function parseKeyAndInsertValueInArray(array &$array, string $key
 
         $pointer = $value;
     }
+
+    /**
+     * Cleanup previously uploaded files.
+     */
+    public static function cleanupUploadedFiles(): void
+    {
+        $tmpFiles = glob(sys_get_temp_dir() . '/' . self::UPLOADED_FILES_PREFIX . '*');
+        if ($tmpFiles !== false) {
+            foreach ($tmpFiles as $file) {
+                if(is_file($file)) {
+                    unlink($file);
+                }
+            }
+        }
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.