CVE-2024-29186: Slow String Operations via MultiPart Requests in Event-Driven Functions

When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed. In the parsing process, the Content-Type header of each part is read using the Riverline/multipart-parser library.

The library, in the StreamedPart::parseHeaderContent function, performs slow multi-byte string operations on the header value. Precisely, the mb_convert_encoding function is used with the first ($string) and third ($from_encoding) parameters read from the header value.