CVE-2026-32145: Denial of Service via Multipart Parsing Limit Bypass in Wisp
Vulnerability ID: CVE-2026-32145
CVSS Score: 8.7
Published: 2026-04-03
CVE-2026-32145 is a high-severity Denial of Service vulnerability in the Wisp web framework for the Gleam programming language. Unauthenticated remote attackers can bypass configured max_body_size and max_files_size limits during multipart/form-data parsing to exhaust memory or disk space.
TL;DR
A logic flaw in Wisp's multipart parser allows attackers to bypass size limits by sending unbounded streams of data without a boundary delimiter. This results in resource exhaustion and denial of service. The vulnerability is fixed in version 2.2.2.
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network
- CVSS v4.0: 8.7 (High)
- EPSS Score: 0.015% (Percentile: 2.92%)
- Impact: Denial of Service (Availability)
- Exploit Status: None/PoC
- CISA KEV: Not Listed
Affected Systems
- Wisp Web Framework
-
wisp: >= 0.2.0, < 2.2.2 (Fixed in:
2.2.2)
Code Analysis
Commit: 7a97874
Fix multipart parsing limit bypass by decrementing quotas during recursion.
Mitigation Strategies
- Upgrade the wisp framework dependency to a patched release.
- Deploy a reverse proxy (e.g., Nginx, HAProxy) with strict body size enforcement.
- Monitor application memory usage and disk space allocation for rapid anomalous growth.
Remediation Steps:
- Identify all projects utilizing the
gleam-wisp/wispdependency. - Update the project's dependency manifest to require
wispversion2.2.2or higher. - Recompile the Gleam application and verify successful deployment.
- If patching is delayed, update edge proxies to enforce
client_max_body_sizedirectives immediately.
References
- GitHub Advisory: GHSA-8645-p2v4-73r2
- Fix Commit 7a978748e12ab29db232c222254465890e1a4a90
- CVE-2026-32145 Record
Read the full report for CVE-2026-32145 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)