{
    "document": {
        "category": "csaf_base",
        "csaf_version": "2.0",
        "distribution": {
            "tlp": {
                "label": "WHITE"
            }
        },
        "lang": "en",
        "notes": [
            {
                "category": "legal_disclaimer",
                "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
            }
        ],
        "publisher": {
            "category": "coordinator",
            "contact_details": "cert@ncsc.nl",
            "name": "National Cyber Security Centre",
            "namespace": "https://www.ncsc.nl/"
        },
        "title": "CVE-2026-32145",
        "tracking": {
            "current_release_date": "2026-04-03T04:39:49.524058Z",
            "generator": {
                "date": "2026-02-17T15:00:00Z",
                "engine": {
                    "name": "V.E.L.M.A",
                    "version": "1.7"
                }
            },
            "id": "CVE-2026-32145",
            "initial_release_date": "2026-04-02T10:38:37.418253Z",
            "revision_history": [
                {
                    "date": "2026-04-02T10:38:37.418253Z",
                    "number": "1",
                    "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (4).| Product Identifiers created (4).| References created (2).| CWES updated (1)."
                },
                {
                    "date": "2026-04-02T10:38:42.774456Z",
                    "number": "2",
                    "summary": "NCSC Score created."
                },
                {
                    "date": "2026-04-02T11:25:45.692660Z",
                    "number": "3",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
                },
                {
                    "date": "2026-04-02T11:25:51.536763Z",
                    "number": "4",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-04-02T11:35:04.799341Z",
                    "number": "5",
                    "summary": "NCSC Score updated."
                },
                {
                    "date": "2026-04-02T15:04:32.402299Z",
                    "number": "6",
                    "summary": "Source connected.| CVE status created. (valid)| EPSS created."
                },
                {
                    "date": "2026-04-03T04:39:43.546418Z",
                    "number": "7",
                    "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)."
                },
                {
                    "date": "2026-04-03T04:39:46.480282Z",
                    "number": "8",
                    "summary": "NCSC Score updated."
                }
            ],
            "status": "interim",
            "version": "8"
        }
    },
    "product_tree": {
        "branches": [
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:git/d8e722e22ccb42bda9d0b6248658d37ab4e9b376|<7a978748e12ab29db232c222254465890e1a4a90",
                                "product": {
                                    "name": "vers:git/d8e722e22ccb42bda9d0b6248658d37ab4e9b376|<7a978748e12ab29db232c222254465890e1a4a90",
                                    "product_id": "CSAFPID-5983934",
                                    "product_identification_helper": {
                                        "cpe": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
                                    }
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:purl/pkg:github/gleam-wisp/wisp@d8e722e22ccb42bda9d0b6248658d37ab4e9b376|<pkg:github/gleam-wisp/wisp@7a978748e12ab29db232c222254465890e1a4a90",
                                "product": {
                                    "name": "vers:purl/pkg:github/gleam-wisp/wisp@d8e722e22ccb42bda9d0b6248658d37ab4e9b376|<pkg:github/gleam-wisp/wisp@7a978748e12ab29db232c222254465890e1a4a90",
                                    "product_id": "CSAFPID-5983935",
                                    "product_identification_helper": {
                                        "cpe": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
                                    }
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:purl/pkg:hex/wisp@0.2.0|<pkg:hex/wisp@2.2.2",
                                "product": {
                                    "name": "vers:purl/pkg:hex/wisp@0.2.0|<pkg:hex/wisp@2.2.2",
                                    "product_id": "CSAFPID-5983933",
                                    "product_identification_helper": {
                                        "cpe": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
                                    }
                                }
                            },
                            {
                                "category": "product_version_range",
                                "name": "vers:semver/0.2.0|<2.2.2",
                                "product": {
                                    "name": "vers:semver/0.2.0|<2.2.2",
                                    "product_id": "CSAFPID-5983932",
                                    "product_identification_helper": {
                                        "cpe": "cpe:2.3:a:gleam-wisp:wisp:*:*:*:*:*:*:*:*"
                                    }
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "wisp"
                    }
                ],
                "category": "vendor",
                "name": "gleam-wisp"
            }
        ]
    },
    "vulnerabilities": [
        {
            "cve": "CVE-2026-32145",
            "cwe": {
                "id": "CWE-770",
                "name": "Allocation of Resources Without Limits or Throttling"
            },
            "notes": [
                {
                    "category": "description",
                    "text": "Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.\n\nThe multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.\n\nAn unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.\n\nThis issue affects wisp: from 0.2.0 before 2.2.2.",
                    "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32145.json"
                },
                {
                    "category": "description",
                    "text": "Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing.\n\nThe multipart_body function bypasses configured max_body_size and max_files_size limits. When a multipart boundary is not present in a chunk, the parser takes the MoreRequiredForBody path, which appends the chunk to the output but passes the quota unchanged to the recursive call. Only the final chunk containing the boundary is counted via decrement_quota. The same pattern exists in multipart_headers, where MoreRequiredForHeaders recurses without calling decrement_body_quota.\n\nAn unauthenticated attacker can exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP request.\n\nThis issue affects wisp: from 0.2.0 before 2.2.2.",
                    "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32145"
                },
                {
                    "category": "description",
                    "text": "### Summary\nA multipart form parsing bug allows any unauthenticated user to bypass configured request size limits and trigger a denial of service by exhausting server memory or disk.\n\n### Details\nThe issue is in the multipart parsing logic, specifically in `multipart_body` and `multipart_headers`.\n\nWhen parsing multipart data, the implementation distinguishes between:\n- chunks where a boundary is found\n- chunks where more data is required\n\nIn the normal case (boundary found), the parser correctly accounts for consumed bytes by calling `decrement_quota`.\n\nHowever, in the `MoreRequiredForBody` branch, the parser appends incoming data to the output but recurses without decrementing the quota. This means that any chunk that does not contain the multipart boundary is effectively “free” from a quota perspective. Only the final chunk, the one containing the boundary, is counted.\n\nThe same pattern exists in `multipart_headers`, where `MoreRequiredForHeaders` also recurses without decrementing the quota.\n\nAs a result, an attacker can send arbitrarily large multipart bodies split across many chunks that avoid the boundary. The parser will accumulate the data (in memory for form fields, on disk for file uploads) without enforcing `max_body_size` or `max_files_size`.\n\n### Impact\nThis is a denial of service vulnerability caused by uncontrolled resource consumption.\n\nAny application using `require_form` or `require_multipart_form` on user-controlled input is affected. An unauthenticated attacker can send large multipart requests that bypass configured limits and cause:\n\n- memory exhaustion (for form fields accumulated in memory)\n- disk exhaustion (for file uploads written to temporary storage)\n\nIn both cases, the application may become unavailable or be terminated by the operating system.\n\n### Workaround\nDeploy a reverse proxy (such as nginx or HAProxy) in front of the application and enforce request body size limits there. This ensures large multipart requests are rejected before they reach the vulnerable parser.\n\n### Resources\n- Introducing commit: https://github.com/gleam-wisp/wisp/commit/d8e722e22ccb42bda9d0b6248658d37ab4e9b376\n- Fix commit: https://github.com/gleam-wisp/wisp/commit/7a978748e12ab29db232c222254465890e1a4a90",
                    "title": "github - https://api.github.com/advisories/GHSA-8645-p2v4-73r2"
                },
                {
                    "category": "other",
                    "text": "0.00056",
                    "title": "EPSS"
                },
                {
                    "category": "other",
                    "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                    "title": "CVSSV4"
                },
                {
                    "category": "other",
                    "text": "8.7",
                    "title": "CVSSV4 base score"
                },
                {
                    "category": "other",
                    "text": "3.7",
                    "title": "NCSC Score"
                },
                {
                    "category": "other",
                    "text": "There is cwe data available from source Nvd, The value of the most recent CVSS (V3) score",
                    "title": "NCSC Score top decreasing factors"
                }
            ],
            "product_status": {
                "known_affected": [
                    "CSAFPID-5983932",
                    "CSAFPID-5983933",
                    "CSAFPID-5983934",
                    "CSAFPID-5983935"
                ]
            },
            "references": [
                {
                    "category": "external",
                    "summary": "Source - cveprojectv5",
                    "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32145.json"
                },
                {
                    "category": "external",
                    "summary": "Source - nvd",
                    "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32145"
                },
                {
                    "category": "external",
                    "summary": "Source - first",
                    "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
                },
                {
                    "category": "external",
                    "summary": "Source - github",
                    "url": "https://api.github.com/advisories/GHSA-8645-p2v4-73r2"
                },
                {
                    "category": "external",
                    "summary": "Reference - cveprojectv5; github; nvd",
                    "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-8645-p2v4-73r2"
                },
                {
                    "category": "external",
                    "summary": "Reference - cveprojectv5; github; nvd",
                    "url": "https://github.com/gleam-wisp/wisp/commit/7a978748e12ab29db232c222254465890e1a4a90"
                },
                {
                    "category": "external",
                    "summary": "Reference - github",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32145"
                },
                {
                    "category": "external",
                    "summary": "Reference - github",
                    "url": "https://github.com/advisories/GHSA-8645-p2v4-73r2"
                }
            ],
            "title": "CVE-2026-32145"
        }
    ]
}