Slow String Operations via MultiPart Requests in Event-Driven Functions
Description
Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed. In the parsing process, the Content-Type header of each part is read using the Riverline/multipart-parser library.
The library, in the StreamedPart::parseHeaderContent function, performs slow multi-byte string operations on the header value. Precisely, the mb_convert_encoding function is used with the first ($string) and third ($from_encoding) parameters read from the header value.
An attacker could send specifically crafted requests which would force the server into performing long operations with a consequent long billed duration.
The attack has the following requirements and limitations: The Lambda should use the Event-Driven Function runtime and the RequestHandlerInterface handler and should implement at least an endpoint accepting POST requests; the attacker can send requests up to 6MB long (this is enough to cause a billed duration between 400ms and 500ms with the default 1024MB RAM Lambda image of Bref); and if the Lambda uses a PHP runtime <= php-82, the impact is higher as the billed duration in the default 1024MB RAM Lambda image of Bref could be brought to more than 900ms for each request. Notice that the vulnerability applies only to headers read from the request body as the request header has a limitation which allows a total maximum size of ~10KB.
Version 2.1.17 contains a fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bref <2.1.17 uses slow mb_convert_encoding on multipart Content-Type headers, allowing attackers to increase Lambda billed duration via crafted requests.
Vulnerability
Overview CVE-2024-29186 affects Bref, an open-source project for running PHP serverlessly on AWS Lambda. In versions prior to 2.1.17, when using the Event-Driven Function runtime with a RequestHandlerInterface handler, the Lambda event is converted to a PSR7 object. During this conversion, multipart request parts are parsed using the Riverline/multipart-parser library. The library's StreamedPart::parseHeaderContent function calls mb_convert_encoding with parameters derived from the Content-Type header of each part, causing slow multi-byte string operations [1][3].
Exploitation
Conditions An attacker can exploit this by sending specially crafted multipart POST requests to a Lambda function that uses the affected runtime and handler. The attack requires the function to have at least one POST endpoint. Attacker requests can be up to 6MB in size, which is sufficient to cause a billed duration increase of 400–500ms on the default 1024MB RAM Bref image. On PHP runtimes <= 8.2, the impact is more severe, with billed duration exceeding 900ms per request. The vulnerability only applies to headers within the request body, as the request header size is limited to ~10KB [1][3].
Impact
By forcing the Lambda function to spend excessive time parsing multipart headers, an attacker can significantly increase the billed duration for each request. This can lead to higher costs for the Lambda owner and potentially cause denial of service through resource exhaustion. The impact is limited to Lambda functions using the specific runtime and handler combination [1][3].
Mitigation
The vulnerability is fixed in Bref version 2.1.17. Users should update to this or a later version. The fix involves requiring an updated version of the riverline/multipart-parser library that avoids the inefficient string operations [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bref/brefPackagist | < 2.1.17 | 2.1.17 |
Affected products
3- brefphp/brefv5Range: < 2.1.17
Patches
15f7c0294628dRequire `riverline/multipart-parser` 2.1.2 to fix security issue
1 file changed · +1 −1
composer.json+1 −1 modified@@ -29,7 +29,7 @@ "psr/container": "^1.0|^2.0", "psr/http-message": "^1.0|^2.0", "psr/http-server-handler": "^1.0", - "riverline/multipart-parser": "^2.0.6", + "riverline/multipart-parser": "^2.1.2", "symfony/process": "^4.4|^5.0|^6.0|^7.0" }, "require-dev": {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-j4hq-f63x-f39rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29186ghsaADVISORY
- github.com/brefphp/bref/commit/5f7c0294628dbcec6305f638ff7e2dba8a1c2f45ghsax_refsource_MISCWEB
- github.com/brefphp/bref/security/advisories/GHSA-j4hq-f63x-f39rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.