Skip to main content

Wisp CVE-2026-32145

| EUVDEUVD-2026-18186 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-02 EEF GHSA-8645-p2v4-73r2
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 02, 2026 - 10:45 euvd
EUVD-2026-18186
Analysis Generated
Apr 02, 2026 - 10:45 vuln.today
Patch released
Apr 02, 2026 - 10:45 nvd
Patch available
CVE Published
Apr 02, 2026 - 10:30 nvd
HIGH 8.7

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.

The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.

An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.

This issue affects wisp: from 0.2.0 before 2.2.2.

AnalysisAI

Denial of service in gleam-wisp wisp 0.2.0 through 2.2.1 allows unauthenticated remote attackers to exhaust server memory or disk by sending arbitrarily large multipart form submissions that bypass configured size limits. The multipart_body and multipart_headers parsing functions fail to properly decrement resource quotas for chunks lacking multipart boundaries, enabling attackers to accumulate unbounded data in a single HTTP request. Patch available as of version 2.2.2.

Technical ContextAI

The vulnerability exists in the multipart form body parsing logic of the gleam-wisp HTTP framework (CWE-770: Allocation of Resources Without Limits or Throttling). The multipart_body function is designed to respect max_body_size and max_files_size configuration limits by decrementing a quota as data is consumed. However, when processing chunks that do not contain a multipart boundary marker, the parser takes a MoreRequiredForBody code path that appends the chunk to accumulated output but passes the quota unchanged to the recursive call. Only when a boundary is finally encountered is the quota decremented. An identical pattern occurs in multipart_headers with MoreRequiredForHeaders recursion bypassing decrement_body_quota. This allows attackers to bypass resource limits by sending many large chunks without boundary markers, accumulating data without triggering quota enforcement. The vulnerability affects gleam-wisp versions from 0.2.0 through 2.2.1 (CPE: cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*).

RemediationAI

Upgrade gleam-wisp wisp to version 2.2.2 or later, which includes the fix from commit 7a978748e12ab29db232c222254465890e1a4a90. The patch corrects the quota management logic in multipart_body and multipart_headers to properly decrement limits for all chunks, not only those containing boundaries. Obtain the patched version from the official gleam-wisp repository and redeploy affected applications. If immediate patching is not possible, consider disabling multipart form handling or implementing a reverse proxy with request size limits as a temporary mitigation. See the security advisory at https://github.com/gleam-wisp/wisp/security/advisories/GHSA-8645-p2v4-73r2 for additional details.

Share

CVE-2026-32145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy