CVE-2026-32145

HIGH EPSS 45.3%
Published Apr 2, 20263mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published Apr 2, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota. An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request. This issue affects wisp: from 0.2.0 before 2.2.2.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
45.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-770

Affected Products 1

VendorProductVersionRange
gleam-wispwisp*≥0.2.0  –  <2.2.2

References 4

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-32145.html
    PatchThird Party Advisory
  • github.com https://github.com/gleam-wisp/wisp/commit/7a978748e12ab29db232c222254465890e1a4a90
    Patch
  • github.com https://github.com/gleam-wisp/wisp/security/advisories/GHSA-8645-p2v4-73r2
    Vendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-32145
    Third Party Advisory

Remediation

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-32145.html
    PatchThird Party Advisory
  • github.com https://github.com/gleam-wisp/wisp/commit/7a978748e12ab29db232c222254465890e1a4a90
    Patch