High severityNVD Advisory· Published Apr 2, 2026· Updated Apr 6, 2026

CVE-2026-32145

Description

Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.

The multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.

An unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.

This issue affects wisp: from 0.2.0 before 2.2.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wispHex	< 2.2.2	2.2.2

Affected products

Gleam Wisp/Wispreferences

Patches

7a978748e12a

Fix body limits

https://github.com/gleam-wisp/wispLouis PilfoldMar 27, 2026via ghsa

commit

3 files changed · +63 −7

CHANGELOG.md+2 −0 modified

@@ -5,6 +5,8 @@
 - The Mist web server related module has been moved to the `wisp_mist` adapter
   package. A `wisp_ewe` package has been created too!
 - `send_file` failing will now result in an internal server error being sent.
+- Fixed a bug where the max body sizes would not be respected for chunked
+  request body streams.
 
 ## v2.2.1 - 2026-03-08

src/wisp.gleam+18 −7 modified

@@ -1172,6 +1172,7 @@ fn multipart_body(
     http.MoreRequiredForBody(chunk, parse) -> {
       let parse = fn_with_bad_request_error(parse, invalid_form)
       let reader = BufferedReader(reader, <<>>)
+      use quota <- result.try(decrement_quota(quota, size_read))
       use data <- result.try(append(data, chunk))
       multipart_body(reader, parse, boundary, chunk_size, quota, append, data)
     }
@@ -1242,6 +1243,8 @@ fn multipart_headers(
         }
       }
       let reader = BufferedReader(reader, <<>>)
+      let size_read = bit_array.byte_size(chunk)
+      use quotas <- result.try(decrement_body_quota(quotas, size_read))
       multipart_headers(reader, parse, chunk_size, quotas)
     }
   }
@@ -2000,18 +2003,26 @@ pub fn get_cookie(
 // Testing
 //
 
-// TODO: chunk the body
 @internal
 pub fn create_canned_connection(
   body: BitArray,
   secret_key_base: String,
 ) -> internal.Connection {
-  internal.make_connection(
-    fn(_size) {
-      Ok(internal.Chunk(body, fn(_size) { Ok(internal.ReadingFinished) }))
-    },
-    secret_key_base,
-  )
+  internal.make_connection(canned_reader(body), secret_key_base)
+}
+
+fn canned_reader(data: BitArray) -> internal.Reader {
+  fn(chunk_size) {
+    case bit_array.byte_size(data) {
+      0 -> Ok(internal.ReadingFinished)
+      size -> {
+        let take = int.min(chunk_size, size)
+        let assert Ok(chunk) = bit_array.slice(data, 0, take)
+        let assert Ok(rest) = bit_array.slice(data, take, size - take)
+        Ok(internal.Chunk(chunk, canned_reader(rest)))
+      }
+    }
+  }
 }
 
 /// Protects against Cross-Site Request Forgery (CSRF) attacks by checking the

test/wisp_test.gleam+43 −0 modified

@@ -885,6 +885,49 @@ Content-Disposition: form-data; name=\"one\"\r
     )
 }
 
+// https://github.com/gleam-wisp/wisp/issues/108
+pub fn multipart_form_body_too_big_across_chunks_test() {
+  let data = "--b\r
+Content-Disposition: form-data; name=\"x\"\r
+\r
+" <> string.repeat("A", 200) <> "\r
+--b--\r
+"
+  assert simulate.request(http.Post, "/")
+    |> simulate.string_body(data)
+    |> request.set_header("content-type", "multipart/form-data; boundary=b")
+    |> wisp.set_max_body_size(120)
+    |> wisp.set_read_chunk_size(100)
+    |> form_handler(fn(_) { panic as "should be unreachable" })
+    == Response(
+      413,
+      [#("content-type", "text/plain")],
+      wisp.Text("Content too large"),
+    )
+}
+
+// https://github.com/gleam-wisp/wisp/issues/108
+pub fn multipart_form_headers_too_big_across_chunks_test() {
+  let data =
+    "--b\r
+Content-Disposition: form-data; name=\"x\"\r
+\r
+1\r
+--b--\r
+"
+  assert simulate.request(http.Post, "/")
+    |> simulate.string_body(data)
+    |> request.set_header("content-type", "multipart/form-data; boundary=b")
+    |> wisp.set_max_body_size(10)
+    |> wisp.set_read_chunk_size(4)
+    |> form_handler(fn(_) { panic as "should be unreachable" })
+    == Response(
+      413,
+      [#("content-type", "text/plain")],
+      wisp.Text("Content too large"),
+    )
+}
+
 pub fn multipart_form_no_boundary_test() {
   let data =
     "--theboundary\r

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8645-p2v4-73r2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-32145ghsaADVISORY
cna.erlef.org/cves/CVE-2026-32145.htmlnvdWEB
github.com/gleam-wisp/wisp/commit/7a978748e12ab29db232c222254465890e1a4a90nvdWEB
github.com/gleam-wisp/wisp/security/advisories/GHSA-8645-p2v4-73r2nvdWEB
osv.dev/vulnerability/EEF-CVE-2026-32145nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000