CVE-2024-29186 in brefinfo

Summary

by MITRE • 03/22/2024

Bref is an open-source project that helps users go serverless on Amazon Web Services with PHP. When Bref prior to version 2.1.17 is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed. In the parsing process, the `Content-Type` header of each part is read using the `Riverline/multipart-parser` library.

The library, in the `StreamedPart::parseHeaderContent` function, performs slow multi-byte string operations on the header value. Precisely, the `mb_convert_encoding` function is used with the first (`$string`) and third (`$from_encoding`) parameters read from the header value.

An attacker could send specifically crafted requests which would force the server into performing long operations with a consequent long billed duration.

The attack has the following requirements and limitations: The Lambda should use the Event-Driven Function runtime and the `RequestHandlerInterface` handler and should implement at least an endpoint accepting POST requests; the attacker can send requests up to 6MB long (this is enough to cause a billed duration between 400ms and 500ms with the default 1024MB RAM Lambda image of Bref); and if the Lambda uses a PHP runtime <= php-82, the impact is higher as the billed duration in the default 1024MB RAM Lambda image of Bref could be brought to more than 900ms for each request. Notice that the vulnerability applies only to headers read from the request body as the request header has a limitation which allows a total maximum size of ~10KB.

Version 2.1.17 contains a fix for this issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/05/2025

CVE-2024-29186 represents a server-side resource exhaustion vulnerability affecting Bref serverless framework versions prior to 2.1.17 when operating with Event-Driven Function runtime and RequestHandlerInterface handlers. This vulnerability stems from inefficient string processing within the Riverline/multipart-parser library, specifically in the StreamedPart::parseHeaderContent function where the mb_convert_encoding function is invoked with parameters derived from user-supplied header values. The flaw manifests when processing multipart requests where each part's Content-Type header is parsed using multi-byte string operations that scale linearly with input size, creating a potential denial of service vector through excessive computational overhead.

The technical implementation of this vulnerability leverages the inherent performance characteristics of PHP's mb_convert_encoding function, which performs complex character encoding conversions that become computationally expensive when processing large header values. When an attacker crafts malicious multipart requests with specially constructed Content-Type headers containing extended multi-byte sequences, the parsing routine executes time-consuming operations that directly translate to increased Lambda execution time and billing duration. This vulnerability operates at the intersection of CWE-795, which addresses excessive string operations in input parsing, and CWE-400, covering resource exhaustion vulnerabilities. The attack requires specific environmental conditions including Event-Driven Function runtime configuration and RequestHandlerInterface implementation, limiting its applicability but maintaining significant impact potential.

The operational impact of CVE-2024-29186 extends beyond simple denial of service to encompass financial consequences through increased AWS Lambda billing. Under default Bref configurations with 1024MB RAM Lambda instances, attackers can generate billed durations ranging from 400-500ms for requests up to 6MB in size, with PHP runtime versions <= php-82 experiencing even more severe impacts exceeding 900ms per request. This represents a direct cost escalation for affected organizations, with potential for cascading effects when multiple malicious requests are processed sequentially. The vulnerability's design limitation that restricts impact to request body headers rather than HTTP headers provides some mitigation but does not eliminate the threat, as the 10KB total request header limit does not constrain the multipart payload size that triggers the vulnerable code path.

Mitigation strategies for CVE-2024-29186 center on immediate version upgrading to Bref 2.1.17 or later, which implements proper input validation and sanitization of header values before processing. Organizations should also implement request size limiting mechanisms and consider rate limiting for POST endpoints that accept multipart content, particularly those configured with Event-Driven Function runtime. Network-level controls including API gateway request size limits and Lambda function timeout configurations can provide additional defense-in-depth layers. The vulnerability's alignment with ATT&CK technique T1499.004, which covers resource exhaustion attacks, underscores the need for comprehensive monitoring of Lambda execution times and billing patterns to detect anomalous usage patterns indicative of exploitation attempts. Security teams should also conduct vulnerability assessments of all serverless applications using Bref to ensure proper patching and configuration alignment with security best practices for cloud-native environments.

Responsible

GitHub, Inc.

Reservation

03/18/2024

Disclosure

03/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00669

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!