HTTP/2 Bomb: New DoS Flaw Hits NGINX, Apache, IIS, Envoy & Cloudflare

Cybersecurity researchers at Calif have disclosed a new remote denial-of-service vulnerability dubbed "HTTP/2 Bomb" that affects five major web server platforms: NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare's Pingora. Discovered by OpenAI Codex, the flaw chains together two known attack techniques—a compression bomb and a Slowloris-style hold—exploiting default HTTP/2 configurations. The vulnerability specifically targets HPACK, HTTP/2's header compression scheme, where a single byte on the wire translates into a full header allocation server-side, repeated thousands of times per request while a zero-byte flow-control window prevents the server from freeing any of it.

Unlike traditional HPACK Bomb attacks (CVE-2016-6581) that reference large values repeatedly, HTTP/2 Bomb operates in reverse. The header payload is nearly empty, and the amplification comes from per-entry bookkeeping the server allocates around each entry—meaning decoded-size limits never trigger because there is almost nothing to decode. The attack is devastatingly efficient: a single client on a 100 Mbps home connection can render a vulnerable server inaccessible within seconds, and benchmarks show a single attacker consuming and holding 32GB of server memory against Apache HTTPD and Envoy in roughly 20 seconds. The technique builds on prior flaws including CVE-2025-53020 (Apache httpd memory exhaustion), CVE-2016-8740 (crafted CONTINUATION frames), and CVE-2016-1546 (worker-thread starvation in HTTP/2 connections).

Mitigations are already rolling out unevenly across the affected vendors. NGINX has released version 1.29.8+, which introduces a new max_headers directive defaulting to 1000, with http2 off; as a fallback. Apache HTTPD is patched in mod_http2 v2.0.41, or administrators can force Protocols http/1.1 to disable HTTP/2 entirely. Microsoft IIS, Envoy, and Cloudflare Pingora currently have no patches available, leaving operators of those platforms exposed in the interim. Security teams should audit their exposure immediately—running a port scanner to confirm HTTP/2 listeners and a SSL/TLS checker to verify server configurations are reasonable first steps. For broader defensive posture, organizations can also use a privacy checkup to ensure their external-facing web infrastructure isn't leaking additional metadata that could aid reconnaissance during an active exploitation campaign.