CVE-2024-24754

Public Exploit
Bref Body Parsing Inconsistency in Event-Driven Functions

Description

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.23%
Vendor Advisory github.com
Affected: brefphp bref
Published at:
Updated at:

References

Link Tags
https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w vendor advisory exploit
https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092 patch

Frequently Asked Questions

What is the severity of CVE-2024-24754?
CVE-2024-24754 has been scored as a low severity vulnerability.
How to fix CVE-2024-24754?
To fix CVE-2024-24754, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-24754 being actively exploited in the wild?
It is possible that CVE-2024-24754 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-24754?
CVE-2024-24754 affects brefphp bref.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.