CVE-2026-32145: CWE-770 Allocation of Resources Without Limits or Throttling in gleam-wisp wisp
Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota. An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request. This issue affects wisp: from 0.2.0 before 2.2.2.
AI Analysis
Technical Summary
This vulnerability in gleam-wisp wisp arises from improper handling of multipart form data parsing where configured maximum body and file size limits are bypassed. Specifically, the multipart_body and multipart_headers functions recursively process chunks without decrementing the resource quota until the final chunk containing the multipart boundary is processed. This allows an attacker to send very large multipart form submissions that are not properly throttled, leading to uncontrolled resource allocation and potential denial of service. The issue affects wisp versions from 0.2.0 up to but not including 2.2.2.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to exhaust server memory or disk resources by sending large multipart form submissions in a single HTTP request. This results in denial of service conditions, potentially causing the affected server to become unresponsive or crash. There is no indication of data confidentiality or integrity impact beyond resource exhaustion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official patch or fix links are provided in the available data. Until a fix is available, consider implementing external request size limits or filtering multipart requests at a reverse proxy or firewall to mitigate potential abuse.
CVE-2026-32145: CWE-770 Allocation of Resources Without Limits or Throttling in gleam-wisp wisp
Description
Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota. An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request. This issue affects wisp: from 0.2.0 before 2.2.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in gleam-wisp wisp arises from improper handling of multipart form data parsing where configured maximum body and file size limits are bypassed. Specifically, the multipart_body and multipart_headers functions recursively process chunks without decrementing the resource quota until the final chunk containing the multipart boundary is processed. This allows an attacker to send very large multipart form submissions that are not properly throttled, leading to uncontrolled resource allocation and potential denial of service. The issue affects wisp versions from 0.2.0 up to but not including 2.2.2.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to exhaust server memory or disk resources by sending large multipart form submissions in a single HTTP request. This results in denial of service conditions, potentially causing the affected server to become unresponsive or crash. There is no indication of data confidentiality or integrity impact beyond resource exhaustion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official patch or fix links are provided in the available data. Until a fix is available, consider implementing external request size limits or filtering multipart requests at a reverse proxy or firewall to mitigate potential abuse.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-03-10T22:37:29.212Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ce471be6bfc5ba1dcbccc8
Added to database: 4/2/2026, 10:38:19 AM
Last enriched: 4/9/2026, 10:31:50 PM
Last updated: 5/20/2026, 9:42:46 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.