CVE-2026-32145 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the multipart form body parsing logic in the gleam-wisp wisp web framework. The core issue lies in the multipart_body and multipart_headers functions, which recursively parse multipart HTTP requests. These functions bypass the enforcement of configured maximum body size (max_body_size) and maximum files size (max_files_size) limits because the quota decrementing logic is only triggered upon encountering the multipart boundary in the final chunk. When chunks without boundaries are processed, the parser appends data to output buffers but does not reduce the quota, allowing an attacker to send very large multipart payloads that consume excessive memory or disk resources. This flaw can be exploited remotely by an unauthenticated attacker simply by sending a crafted HTTP request with a large multipart form submission. The vulnerability affects wisp versions starting from 0.2.0 up to but not including 2.2.2. The CVSS 4.0 base score is 8.7 (high), reflecting the ease of exploitation (network vector, no authentication, no user interaction) and the severe impact on availability through denial of service. No patches or exploit code are currently publicly available, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of CVE-2026-32145 is denial of service (DoS) through resource exhaustion. By sending a single HTTP request with a large multipart form body, an attacker can cause the server running the vulnerable wisp framework to consume excessive memory or disk space, potentially leading to application crashes, degraded performance, or complete service unavailability. This can disrupt business operations, degrade user experience, and increase operational costs due to recovery efforts. Since the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to any internet-facing services using affected wisp versions. Organizations relying on wisp for web applications or APIs may face increased downtime and potential cascading failures in dependent systems. Additionally, denial of service attacks can be leveraged as part of multi-vector campaigns, amplifying their impact. The lack of throttling or limits enforcement also raises concerns about potential exploitation in high-volume automated attacks.

To mitigate CVE-2026-32145, organizations should upgrade the wisp framework to version 2.2.2 or later, where the vulnerability is fixed. If immediate upgrading is not feasible, implement the following practical mitigations: 1) Deploy web application firewalls (WAFs) or reverse proxies that enforce strict limits on HTTP request body sizes and multipart form submissions to block oversized payloads before they reach the application. 2) Configure network-level rate limiting and connection throttling to reduce the risk of large or repeated multipart requests from the same source. 3) Monitor application logs and resource usage metrics for unusual spikes in memory or disk consumption related to HTTP requests. 4) Employ runtime application self-protection (RASP) or middleware that can detect and reject malformed or boundary-less multipart requests. 5) Isolate critical services and implement resource quotas at the operating system or container level to limit the impact of resource exhaustion. 6) Conduct regular security assessments and fuzz testing focused on multipart parsing to identify similar issues proactively. These measures, combined with timely patching, will reduce the risk and impact of exploitation.