VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-b8d4-abjx-37f1

Essentials
Severities (18)
References (7)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-b8d4-abjx-37f1
Aliases	CVE-2024-24752 GHSA-x4hh-frx8-98r5
Summary	Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2024-24752
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2024-24752
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2024-24752
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2024-24752
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-x4hh-frx8-98r5
cvssv3.1	6.5	https://github.com/brefphp/bref
generic_textual	MODERATE	https://github.com/brefphp/bref
cvssv3.1	6.5	https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L94-L125
generic_textual	MODERATE	https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L94-L125
cvssv3.1	6.5	https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
generic_textual	MODERATE	https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
ssvc	Track	https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
cvssv3.1	6.5	https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
cvssv3.1_qr	MODERATE	https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
generic_textual	MODERATE	https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
ssvc	Track	https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2024-24752
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-24752

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-24752
		https://github.com/brefphp/bref
		https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L94-L125
350788de12880b6fd64c4c318ba995388bec840e		https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
CVE-2024-24752		https://nvd.nist.gov/vuln/detail/CVE-2024-24752
GHSA-x4hh-frx8-98r5		https://github.com/advisories/GHSA-x4hh-frx8-98r5
GHSA-x4hh-frx8-98r5		https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/brefphp/bref

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L94-L125

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-05T17:05:38Z/ Found at https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-05T17:05:38Z/ Found at https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-24752

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.34026
EPSS Score	0.00141
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:47:31.175491+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/24xxx/CVE-2024-24752.json	38.6.0