CVE-2024-24753: 
PHP vulnerability analysis and mitigation

Bref, a tool that enables serverless PHP on AWS Lambda, contains a vulnerability (CVE-2024-24753) in versions prior to 2.1.13 when used in combination with API Gateway v2 format. The vulnerability relates to improper handling of multiple value headers in HTTP responses, where only the latest header value is kept when multiple headers share the same key (GitHub Advisory).

The vulnerability exists in the HTTP response handling mechanism of Bref, specifically in the src/Event/Http/HttpResponse.php file. When processing responses with multiple headers sharing the same key, the system only retains the last value instead of properly concatenating all values. This behavior deviates from the RFC standard which specifies that multiple header values should be combined with comma separators (GitHub Advisory).

If an application relies on multiple headers with the same key being set for security reasons, Bref would lower the application security. For example, if an application sets multiple Content-Security-Policy headers, only the latest one would be reflected, potentially weakening the security posture of the application (GitHub Advisory).

The vulnerability has been patched in version 2.1.13 of Bref. The fix involves concatenating all multiple value headers with a comma separator and returning a single header with all the values to the API Gateway, as per RFC specifications (GitHub Commit).