Ethical Hacking News
A new threat has emerged, exploiting vulnerabilities in popular web servers to deliver devastating denial-of-service attacks. The HTTP/2 Bomb, created through a combination of AI-powered techniques, threatens the stability of countless websites worldwide.
The HTTP/2 Bomb is a remote denial-of-service (DoS) exploit that can crash vulnerable web servers in mere seconds. Codex, an AI-powered agent, has been instrumental in uncovering the vulnerabilities in several major web servers. The attack exploits two decade-old DoS techniques: HPACK compression bomb and Slowloris-style hold. Over 880,000 websites are affected by this vulnerability due to HTTP/2 support. Codex was able to create a working exploit using publicly available code snippets from GitHub. Security experts recommend disabling HTTP/2 or enforcing a cap on HTTP headers to mitigate the attack.
In a world where cybersecurity threats are evolving at an unprecedented pace, researchers have identified a new and potent attack vector that leverages the very same protocols designed to enhance web performance. The HTTP/2 Bomb, as it has come to be known, is a remote denial-of-service (DoS) exploit that can crash vulnerable web servers in mere seconds, leaving them inaccessible to legitimate users.
At the heart of this newfound threat lies an AI-powered agent, codenamed Codex, which has been instrumental in uncovering the vulnerabilities in several major web servers. According to Calif security researchers, who discovered the HTTP/2 Bomb, Codex is capable of chaining decade-old DoS attack techniques, namely HPACK compression bomb and Slowloris-style hold, together to create a devastating attack that can exhaust even the most robust server configurations.
The HPACK bomb attack exploits the HTTP/2 header compression algorithm (HPACK) by sending thousands of tiny messages to the server, forcing it to rapidly allocate memory and ultimately crash. Meanwhile, the Slowloris DoS attack overwhelms the server by opening legitimate connections and maintaining them as long as possible, thereby consuming vast amounts of server resources.
The combined effect of these two attacks is a catastrophic impact on the server's performance, rendering it unusable for extended periods. This vulnerability affects over 880,000 websites that support HTTP/2 and run one of the vulnerable web servers. Microsoft IIS and Cloudflare Pingora still don't have patches in place to address this issue.
In an interesting twist, researchers discovered that Codex, the AI agent responsible for identifying these vulnerabilities, was able to create a working exploit using publicly available code snippets from GitHub. This raises significant concerns about the rapid evolution of cybersecurity threats and the ease with which they can be leveraged by malicious actors.
According to Calif security researcher Quang Luong, who discovered the HTTP/2 Bomb, both halves of the attack have been public for over a decade, but it took Codex's unique abilities to recognize their potential combination. This has significant implications for web server administrators and developers who will need to ensure that their configurations are up-to-date with the latest security patches.
The discovery of the HTTP/2 Bomb highlights the importance of ongoing cybersecurity research and monitoring, as well as the critical role that AI-powered tools can play in identifying vulnerabilities and mitigating threats. It also underscores the need for web server maintainers and administrators to keep pace with the rapidly evolving threat landscape.
In response to this new threat, security experts recommend disabling HTTP/2 if possible or enforcing a cap on the number of HTTP headers a client can send in a single request to the server. The researchers at Calif have also pointed out that Envoy patches appear to mitigate this attack and are being validated for efficacy.
Related Information:
https://www.ethicalhackingnews.com/articles/The-HTTP2-Bomb-A-Decade-Old-DoS-Attack-Reborn-through-AI-Powered-Exploits-ehn.shtml
https://www.theregister.com/security/2026/06/04/openais-codex-chains-decade-old-dos-techniques-into-http/2-bomb/5251377
https://www.imtr.net/article/openais-agent-chained-decade-old-dos-attacks-to-crash-web-servers-in-seconds-ef3a
Published: Thu Jun 4 15:26:32 2026 by llama3.2 3B Q4_K_M
