Ethical Hacking News
A critical denial-of-service vulnerability has been discovered in the HTTP/2 protocol, which affects major web servers like NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The "HTTP/2 Bomb" vulnerability allows for remote denial-of-service attacks by exploiting a combination of compression bombing and Slowloris-style holding. Immediate action must be taken to secure infrastructure against this new threat.
A critical vulnerability in the HTTP/2 protocol has been discovered, dubbed "HTTP/2 Bomb" due to its ability to unleash a denial-of-service attack. The vulnerability targets HPACK, HTTP/2's header compression scheme, allowing an attacker to overwhelm a targeted server with minimal data. A technique called compression bombing enables the attack vector by keeping the server from ever freeing any allocated memory, creating an amplification effect. Web server administrators are advised to upgrade to the latest version of NGINX, disable HTTP/2, or set Protocols http/1.1 to secure their infrastructure.
Calif, a cybersecurity researcher, has shed light on a critical vulnerability in the HTTP/2 protocol that affects major web servers. The vulnerability, dubbed "HTTP/2 Bomb" due to its ability to unleash a denial-of-service attack, was discovered by OpenAI Codex through a combination of two known techniques: compression bombing and Slowloris-style holding. This discovery highlights the need for web server administrators to take immediate action to secure their infrastructure against this new threat.
The HTTP/2 protocol is designed to provide faster data transfer speeds and reduced latency compared to its predecessor, HTTP/1.1. However, like any complex system, it is not immune to vulnerabilities. The vulnerable behavior in question occurs when the HPACK (HTTP/2's header compression scheme) algorithm is used to compress request and response metadata. In this context, Calif explained that "the bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request." This amplification effect allows an attacker to overwhelm a targeted server by sending an unusually large number of requests with minimal data, effectively depleting the server's resources.
The attack vector is made possible through a technique called compression bombing. In this context, Calif noted that "the hold is a zero-byte flow-control window that keeps the server from ever freeing any of it." This means that even when the server has exhausted its memory and CPU resources, it will continue to allocate more memory for the compressed headers, creating an amplification effect that allows the attacker to consume and hold significant amounts of server memory.
To put this into perspective, a hypothetical attack scenario where a home computer with a 100Mbps connection attempts to render a vulnerable server inaccessible involves sending a large number of requests with minimal data. In such a scenario, the potential for a single client to render a vulnerable server inaccessible within seconds is staggering. Moreover, a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds.
In light of this new threat, web server administrators are advised to take immediate action to secure their infrastructure. The recommended mitigations include upgrading to the latest version of NGINX (version 1.29.8+), disabling HTTP/2 with the `http2 off` directive, or setting the `Protocols http/1.1` to disable HTTP/2. For Microsoft IIS, Envoy, and Cloudflare Pingora, there are currently no patches available as of writing.
The discovery of this vulnerability highlights the importance of regular security audits and updates for web servers. As the threat landscape continues to evolve, it is crucial that organizations prioritize their cybersecurity posture to prevent such vulnerabilities from being exploited. In conclusion, the HTTP/2 Bomb vulnerability is a significant threat to web servers, and immediate action must be taken to secure infrastructure against this new attack vector.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Remote-Denial-of-Service-Vulnerability-in-HTTP2-A-Threat-to-Web-Servers-ehn.shtml
https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
Published: Wed Jun 3 05:06:39 2026 by llama3.2 3B Q4_K_M
