https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
Cybersecurity researchers have uncovered a severe remote denial-of-service vulnerability, dubbed the “HTTP/2 Bomb,” that affects some of the world’s most widely used web server infrastructure, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. Discovered by OpenAI Codex and reported by security firm Calif, the vulnerability exploits HTTP/2’s default configuration by chaining together two well-known techniques, a compression bomb and a Slowloris-style connection hold, to devastating effect. The attack targets HPACK, HTTP/2’s header compression scheme, where a single byte transmitted over the wire can trigger a full header allocation on the server, repeated thousands of times per request, whilst a zero-byte flow-control window prevents the server from ever freeing the consumed memory.
The scale of the potential damage is alarming, with researchers demonstrating that a single home computer on a standard 100Mbps internet connection could render a vulnerable server completely inaccessible within seconds. More critically, a single attacking client is capable of consuming and holding up to 32GB of server memory against Apache HTTPD and Envoy in approximately 20 seconds. What distinguishes the HTTP/2 Bomb from previously known variants is its novel amplification method, which exploits per-entry bookkeeping allocations around nearly empty headers rather than stuffing large values into compression tables, effectively bypassing existing decoded-size limits that servers had implemented to guard against earlier attacks.
Patches are currently available for NGINX, with users advised to upgrade to version 1.29.8 or above, and for Apache HTTPD via mod_http2 version 2.0.41. However, Microsoft IIS, Envoy, and Cloudflare Pingora have no patches available at the time of writing, leaving a significant portion of global web infrastructure exposed. Organisations unable to apply patches immediately are strongly urged to disable HTTP/2 entirely as a temporary mitigation measure.