CVE-2024-24754 Overview
CVE-2024-24754 is a critical input validation vulnerability affecting Bref, a popular framework that enables serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler implements RequestHandlerInterface, the Lambda event is converted to a PSR-7 object. During this conversion process, if the request is a MultiPart request, each part is parsed and its content is added to the $files or $parsedBody arrays. The vulnerability arises because the conversion process produces different output compared to plain PHP when keys ending with an open square bracket ([) are used, potentially leading to security vulnerabilities and undefined application behaviors.
Critical Impact
This parsing inconsistency between Bref and native PHP can lead to authentication bypass, injection attacks, or other undefined behaviors depending on how the application processes the parsed request body data.
Affected Products
- Bref (mnapoli/bref) versions prior to 2.1.13
- AWS Lambda deployments using Bref Event-Driven Function runtime
- Applications implementing RequestHandlerInterface with MultiPart request handling
Discovery Timeline
- 2024-02-01 - CVE-2024-24754 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-24754
Vulnerability Analysis
This vulnerability falls under CWE-436 (Interpretation Conflict), which occurs when different software components interpret the same content differently. In the context of Bref, the MultiPart request parsing logic diverges from PHP's native behavior when processing form field names that end with an open square bracket character ([).
When a serverless PHP application receives a MultiPart HTTP request through Bref's Event-Driven Function runtime, the framework converts the AWS Lambda event into a PSR-7 compliant request object. This conversion involves parsing the MultiPart body and populating the $files and $parsedBody arrays that PHP applications typically rely upon for accessing uploaded files and form data.
The interpretation conflict becomes exploitable when an attacker crafts a MultiPart request containing field names with trailing open square brackets. Native PHP handles these keys in a specific manner for array notation, but Bref's parsing logic processes them differently. This discrepancy can cause applications to receive unexpected data structures, potentially bypassing validation logic or triggering undefined behaviors.
Root Cause
The root cause lies in the MultiPart body parser within Bref's request conversion layer. The parser does not correctly replicate PHP's native behavior for handling array notation in form field names. Specifically, when a field name ends with [ (an open square bracket without a closing bracket), the Bref parser produces output that differs from what PHP's native $_POST and $_FILES superglobals would contain. This inconsistency creates a parsing mismatch that can be exploited by attackers who understand the behavioral differences.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without requiring any authentication or user interaction. The attack involves sending a specially crafted MultiPart HTTP request to an AWS Lambda function running Bref with the Event-Driven Function runtime.
The exploitation technique involves:
- Identifying a Lambda function using Bref with RequestHandlerInterface
- Crafting a MultiPart request with field names ending in open square brackets
- Sending the request to trigger the parsing inconsistency
- Leveraging the different parsed output to bypass application logic, validation, or security controls
Since the vulnerability exists in how request data is parsed and presented to the application, the impact depends on how the application uses the $parsedBody or $files arrays. Applications that rely on specific key structures or perform security checks based on the parsed data may be vulnerable to bypass attacks.
Detection Methods for CVE-2024-24754
Indicators of Compromise
- HTTP requests containing MultiPart content with unusual field naming patterns, particularly those ending with [
- Application logs showing unexpected array structures or parsing errors in form data processing
- Authentication or authorization bypass events following MultiPart form submissions
- Anomalous behavior in Lambda functions processing form data that differs from expected application flow
Detection Strategies
- Monitor CloudWatch logs for Lambda functions running Bref for unusual request patterns or parsing anomalies
- Implement Web Application Firewall (WAF) rules to detect MultiPart requests with malformed field names
- Deploy runtime application self-protection (RASP) solutions to detect unexpected data structure changes
- Review application logs for discrepancies between expected and received form field structures
Monitoring Recommendations
- Enable detailed logging for all Lambda functions using Bref to capture request body parsing information
- Configure AWS CloudTrail and CloudWatch alarms for unusual patterns in Lambda invocations
- Implement SentinelOne Singularity Cloud to monitor serverless workloads for anomalous request handling behaviors
- Establish baseline metrics for normal MultiPart request patterns and alert on deviations
How to Mitigate CVE-2024-24754
Immediate Actions Required
- Upgrade Bref to version 2.1.13 or later immediately, as this version contains the security patch
- Review application code that processes $parsedBody or $files arrays for potential security implications
- Implement additional server-side validation of form field names before processing
- Deploy WAF rules to filter requests with potentially malicious field naming patterns
Patch Information
The vulnerability has been addressed in Bref version 2.1.13. The fix corrects the MultiPart parsing logic to align with PHP's native behavior when handling field names with special characters, including trailing open square brackets. Organizations should update their composer.json to require bref/bref version ^2.1.13 or higher and redeploy affected Lambda functions.
For detailed patch information, refer to the GitHub Security Advisory GHSA-82vx-mm6r-gg8w and the associated commit.
Workarounds
- Implement input validation to reject or sanitize form field names containing trailing open square brackets before processing
- Add application-layer filtering to normalize field names that may trigger parsing inconsistencies
- Consider using API Gateway request validation to block requests with malformed Content-Type headers or body content
- Deploy AWS WAF custom rules to inspect and filter potentially malicious MultiPart request patterns
# Update Bref to patched version
composer require bref/bref:^2.1.13
# Redeploy Lambda function with updated dependencies
serverless deploy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
