CVE-2024-24752: 
PHP vulnerability analysis and mitigation

CVE-2024-24752 is a vulnerability in Bref, a PHP serverless framework for AWS Lambda. The vulnerability was discovered and disclosed on February 1, 2024, affecting Bref versions prior to 2.1.13. The issue specifically impacts the Event-Driven Function runtime when using the RequestHandlerInterface handler (GitHub Advisory, NVD).

The vulnerability exists in the file handling mechanism of Bref's Event-Driven Function runtime. When processing MultiPart requests containing files, the system creates temporary files in /tmp with random filenames prefixed with 'bref_upload_'. The critical flaw is that these temporary files are not deleted after request processing. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (MEDIUM) (NVD).

An attacker could exploit this vulnerability to fill the Lambda instance disk by performing multiple MultiPart requests containing files. Given that Lambda instances have a default disk size of 512MB and requests are limited to 6MB, approximately 100 requests could be sufficient to fill the disk. This could lead to denial of service conditions for the affected Lambda function (GitHub Advisory).

The vulnerability has been patched in Bref version 2.1.13. The fix involves implementing proper cleanup of temporary files after request processing and response generation. Users are advised to upgrade to this version or later to address the vulnerability (GitHub Advisory).