Wisp patches multipart parser limit bypass causing DoS

2 min readPublished 02 Apr 2026Updated 02 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-32145 News Web Security Denial of Service Erlang

TL;DR — A multipart form parsing bug in wisp can bypass configured request size limits, letting unauthenticated attackers drive memory or disk exhaustion with a single oversized multipart request.

What happened

wisp is an Erlang/Gleam web library used to handle HTTP requests, including parsing form submissions.

CVE-2026-32145 describes an uncontrolled resource consumption issue in wisp’s multipart parsing logic (multipart_body / multipart_headers) where the parser can recurse without decrementing quota when a multipart boundary is not present in a chunk. This allows an attacker to send arbitrarily large multipart bodies split across chunks that avoid the boundary, bypassing configured max_body_size and max_files_size limits, and causing memory exhaustion (for form fields accumulated in memory) or disk exhaustion (for file uploads written to temporary storage). (raw.githubusercontent.com)

Severity is CVSS v4.0 8.7 (High), with Availability impact rated High. Size-limit bypasses in multipart parsers are a recurring failure mode: they’re easy to probe remotely and can create high-leverage availability incidents on public endpoints that accept uploads or forms. (raw.githubusercontent.com)

Who is impacted

Applications that accept user-controlled multipart form input via wisp, especially those using require_form or require_multipart_form. (github.com)

Component	Affected versions (per advisory/CVE)	Patched versions (per advisory)
`wisp`	`>= 0.2.0, < 2.2.2`	`2.2.2` (github.com)

What to do now

Follow vendor remediation guidance and apply the patched release for wisp. The advisory lists 2.2.2 as the patched version. (github.com)
If you cannot update immediately, implement the vendor-provided workaround to enforce request limits before the application:
- "Deploy a reverse proxy (such as nginx or HAProxy) in front of the application and enforce request body size limits there." (github.com)
Identify any internet-facing endpoints that accept multipart uploads/forms and treat them as the priority patch surface (especially routes that allow unauthenticated submissions).
Monitor for abuse patterns consistent with multipart DoS attempts (e.g., unusually large multipart request bodies, high temporary storage growth, OOM kills, abrupt disk pressure) and ensure alerting covers both memory and disk exhaustion signals.

Additional Information

GitHub Security Advisory (vendor write-up, affected/patched versions, workaround): (github.com)
Patch commit referenced by the CVE record: (github.com)

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.