‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds

  Rassegna Stampa, Security
image_pdfimage_print

Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn.

Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory.

According to California-based cybersecurity firm Calif, the attack potentially affects over 880,000 websites that support HTTP/2 and run default NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora configurations.

Furthermore, the company says, an attack can be launched from a home computer on a 100 Mbps connection and can render any of these servers unavailable within seconds.

The techniques chained by the exploit are not new. In fact, three of the underlying issues were disclosed a decade ago, while another was resolved last year.

The first part of the exploit uses HPACK Bomb (tracked as CVE-2016-6581), a compression-layer attack relying on small messages that turn into gigabytes of data once they reach the destination server.

Advertisement. Scroll to continue reading.

Last year, the attack was demonstrated against Apache HTTPD with a 4000x amplification rate, and was resolved in Apache HTTP Server version 2.4.64 as CVE-2025-53020.

The second part of the new exploit targets CVE-2016-8740 and CVE-2016-1546 (Slow Read), two Apache HTTPD flaws leading to DoS conditions via Continuation frames in an HTTP/2 request and via modified flow-control windows.

These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations.

“What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes.

“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.

Calif also identified a bypass for servers that cap the header-field count, and released proof-of-concept (PoC) code to demonstrate the attack.

The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.

“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.

Related: Exploit Code Published for Critical Flowise RCE Vulnerability

Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability

Related: PoC Code Published for Critical NGINX Vulnerability

Related: BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release

https://www.securityweek.com/http-2-bomb-exploit-knocks-web-servers-offline-in-seconds/