CVE-2024-29186

Summary

CVE-2024-29186 is a vulnerability affecting the open-source project Bref, which allows users to go serverless on Amazon Web Services with PHP. When Bref, prior to version 2.1.17, is used with the Event-Driven Function runtime and the handler is of type `RequestHandlerInterface`, it converts Lambda events to PSR7 objects. During this conversion process, the `Riverline/multipart-parser` library, used for parsing MultiPart requests, performs slow multi-byte string operations on the header value. An attacker can exploit this vulnerability by sending specifically crafted MultiPart requests, causing the server to perform long operations and increasing billed durations between 400ms and 900ms, depending on the PHP runtime version. This vulnerability applies to headers read from the request body, and the attacker can send requests up to 6MB in size. The fixed version, 2.1.17, contains a remediation for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.