Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. bref/bref
  4. ›
  5. CVE-2024-24752

CVE-2024-24752: Bref's Uploaded Files Not Deleted in Event-Driven Functions

February 1, 2024 (updated October 17, 2024)

When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in /tmp with a random filename starting with bref_upload_.

The function implementing the logic follows:

private static function parseBodyAndUploadedFiles(HttpRequestEvent $event): array
{
$bodyString = $event->getBody();
$files = [];
$parsedBody = null;
$contentType = $event->getContentType();
if ($contentType !== null && $event->getMethod() === 'POST') {
if (str_starts_with($contentType, 'application/x-www-form-urlencoded')) {
parse_str($bodyString, $parsedBody);
} else {
$document = new Part("Content-type: $contentType\r\n\r\n" . $bodyString);
if ($document->isMultiPart()) {
$parsedBody = [];
foreach ($document->getParts() as $part) {
if ($part->isFile()) {
$tmpPath = tempnam(sys_get_temp_dir(), 'bref_upload_');
if ($tmpPath === false) {
throw new RuntimeException('Unable to create a temporary directory');
}
file_put_contents($tmpPath, $part->getBody());
$file = new UploadedFile($tmpPath, filesize($tmpPath), UPLOAD_ERR_OK, $part->getFileName(), $part->getMimeType());

self::parseKeyAndInsertValueInArray($files, $part->getName(), $file);
} else {
self::parseKeyAndInsertValueInArray($parsedBody, $part->getName(), $part->getBody());
}
}
}
}
}
return [$files, $parsedBody];
}

The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed.

References

  • github.com/advisories/GHSA-x4hh-frx8-98r5
  • github.com/brefphp/bref
  • github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php
  • github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
  • github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
  • nvd.nist.gov/vuln/detail/CVE-2024-24752

Code Behaviors & Features

Detect and mitigate CVE-2024-24752 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 2.1.13

Fixed versions

  • 2.1.13

Solution

Upgrade to version 2.1.13 or above.

Impact 6.5 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-400: Uncontrolled Resource Consumption
  • CWE-770: Allocation of Resources Without Limits or Throttling

Source file

packagist/bref/bref/CVE-2024-24752.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:42 +0000.