Description
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
Patch x_refsource_misc
https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
Scores
CVSS v3
6.5
EPSS
0.0014
EPSS Percentile
33.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
CWE-400
Status
published
Products (2)
bref/bref
0 - 2.1.13Packagist
mnapoli/bref
< 2.1.13
Published
Feb 01, 2024
Tracked Since
Feb 18, 2026