Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-bw4u-2yen-xbbs
Vulnerability ID VCID-bw4u-2yen-xbbs
Aliases CVE-2024-24753
GHSA-99f9-gv72-fw9r
Summary Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-436 Interpretation Conflict
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2024-24753
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-99f9-gv72-fw9r
cvssv3.1 4.8 https://github.com/brefphp/bref
generic_textual MODERATE https://github.com/brefphp/bref
cvssv3.1 4.8 https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90
generic_textual MODERATE https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90
cvssv3.1 4.8 https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
generic_textual MODERATE https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
ssvc Track https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
cvssv3.1 4.8 https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
cvssv3.1_qr MODERATE https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
generic_textual MODERATE https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
ssvc Track https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
cvssv3.1 4.8 https://nvd.nist.gov/vuln/detail/CVE-2024-24753
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-24753
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-24753
https://github.com/brefphp/bref
https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90
CVE-2024-24753 https://nvd.nist.gov/vuln/detail/CVE-2024-24753
f834027aaf88b3885f4aa8edf6944ae920daf2dc https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
GHSA-99f9-gv72-fw9r https://github.com/advisories/GHSA-99f9-gv72-fw9r
GHSA-99f9-gv72-fw9r https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/brefphp/bref
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T19:51:56Z/ Found at https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-21T19:51:56Z/ Found at https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-24753
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.40844
EPSS Score 0.00191
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:47:23.473550+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/24xxx/CVE-2024-24753.json 38.6.0