CVE-2024-29186: Slow String Operations via MultiPart Requests in Event-Driven Functions
When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface
, then the Lambda event is converted to a PSR7 object.
During the conversion process, if the request is a MultiPart, each part is parsed. In the parsing process, the Content-Type
header of each part is read using the Riverline/multipart-parser
library.
The library, in the StreamedPart::parseHeaderContent
function, performs slow multi-byte string operations on the header value.
Precisely, the mb_convert_encoding
function is used with the first ($string
) and third ($from_encoding
) parameters read from the header value.
References
Detect and mitigate CVE-2024-29186 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →