CVE-2024-24754 is a vulnerability identified in the brefphp project, specifically in the bref library versions prior to 2.1.13. Bref is a runtime framework that enables serverless PHP applications to run on AWS Lambda. The vulnerability arises when bref is used with the Event-Driven Function runtime and the handler implements the RequestHandlerInterface. In this configuration, the Lambda event is converted into a PSR-7 compatible HTTP request object. During this conversion, if the incoming request is a MultiPart form data, each part is parsed and its content is added to the $files or $parsedBody arrays. However, the parsing logic in bref differs from that of plain PHP when handling keys that end with an open square bracket ([). This discrepancy leads to an interpretation conflict (CWE-436), where the structure and content of the parsed body differ between bref and standard PHP environments. Such inconsistencies can cause application logic to behave unexpectedly or incorrectly, potentially leading to vulnerabilities such as improper input validation, bypass of security controls, or undefined behaviors in the application. The vulnerability does not directly lead to confidentiality or availability impacts but can cause integrity issues due to incorrect processing of input data. The issue has been addressed and patched in bref version 2.1.13. The CVSS v3.1 base score is 3.7 (low severity), reflecting the limited impact and the complexity of exploitation (high attack complexity, no privileges required, no user interaction). No known exploits are currently reported in the wild.

For European organizations leveraging serverless PHP applications on AWS Lambda using bref versions prior to 2.1.13, this vulnerability could lead to subtle application logic errors due to inconsistent parsing of multipart form data. This may result in data integrity issues, such as incorrect processing of uploaded files or form inputs, potentially allowing attackers to bypass validation or trigger undefined behaviors. While the direct impact on confidentiality and availability is minimal, the integrity compromise could affect business processes relying on accurate input handling, such as financial transactions, user authentication, or data submission workflows. Organizations in sectors with strict data integrity requirements, such as finance, healthcare, and government, may face compliance risks if these parsing inconsistencies lead to erroneous data processing. Additionally, debugging and incident response efforts could be complicated by the differing behaviors between local PHP environments and the serverless runtime, increasing operational overhead.

European organizations should immediately upgrade bref to version 2.1.13 or later to apply the official patch resolving this interpretation conflict. Beyond upgrading, developers should audit their application code that handles multipart form data, especially where keys with trailing open square brackets are used, to ensure consistent behavior across all environments. Implement comprehensive input validation and sanitization routines independent of the runtime’s parsing to mitigate risks from malformed or unexpected inputs. Testing should include multipart requests with complex key structures to detect any discrepancies in parsing or handling. Additionally, monitoring and logging multipart request processing can help detect anomalous behaviors indicative of exploitation attempts. Organizations should also review their deployment pipelines to ensure that serverless functions are updated promptly and that legacy versions of bref are not inadvertently used in production. Finally, educating development teams about the nuances of serverless PHP runtimes and their differences from traditional PHP environments can reduce the risk of logic errors stemming from such vulnerabilities.