PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32145 gleam-wisp CVE debrief

CVE-2026-32145 is a high-severity, unauthenticated denial-of-service issue in wisp's multipart form handling. In affected releases, multipart parsing can bypass configured size limits, allowing a single oversized multipart request to consume server memory or disk.

Vendor
gleam-wisp
Product
wisp
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-04-06
Advisory published
2026-04-02
Advisory updated
2026-04-06

Who should care

Operators and developers running gleam-wisp/wisp services that accept multipart form submissions, especially file-upload or form-processing endpoints that depend on max_body_size or max_files_size to constrain resource use.

Technical summary

The issue is in multipart_body and multipart_headers. When a multipart boundary is not present in an input chunk, the parser follows a MoreRequired path that appends the chunk but recurses without decrementing the quota first. As a result, intermediary chunks are not counted against the configured limits, and only the final chunk containing the boundary is reduced via decrement_quota. The same recursive accounting gap exists in multipart_headers via MoreRequiredForHeaders and decrement_body_quota. This lets an attacker send a single large multipart request that bypasses throttling and exhausts resources.

Defensive priority

High. The attack is network-reachable, requires no authentication, and can be used to exhaust memory or disk through request handling alone.

Recommended defensive actions

  • Upgrade wisp to version 2.2.2 or later, which the advisory identifies as the fixed release boundary.
  • Verify all deployed services using wisp are not pinned to versions from 0.2.0 through 2.2.1.
  • Review any custom forks or backports to confirm multipart parsing now decrements quota on every recursive path.
  • Add or tighten edge and application-layer request size limits for multipart uploads.
  • Monitor for abnormal memory, disk, or request-processing spikes on any service that accepts multipart form submissions.
  • Re-test upload and form endpoints after patching to confirm configured max_body_size and max_files_size enforcement behaves as expected.

Evidence notes

The supplied CVE description states that multipart_body bypasses max_body_size and max_files_size when a boundary is absent in a chunk, and that multipart_headers has the same recursive quota-accounting flaw. The CNA advisory, GitHub security advisory, OSV entry, and upstream commit are the linked references for the affected range and remediation context. The provided timeline places publication on 2026-04-02 and a later CVE record modification on 2026-04-06; NVD's snapshot status was 'Undergoing Analysis'.

Official resources

Published 2026-04-02 and modified 2026-04-06. The provided NVD snapshot lists the record as 'Undergoing Analysis,' while the CNA advisory, GitHub Security Advisory, OSV entry, and upstream commit provide the primary remediation references.