Cybersecurity researchers have identified a critical remote denial-of-service (DoS) vulnerability, dubbed HTTP/2 Bomb, impacting major web servers like NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. Discovered by Calif. researchers, the exploit targets the default HTTP/2 configurations found in these widely-used servers, potentially allowing even a single attacker to render them inaccessible.
The HTTP/2 Bomb vulnerability exploits a combination of established attack techniques. According to Calif., the exploit was identified through OpenAI Codex and integrates a compression bomb targeting the HPACK header compression scheme with a Slowloris-style connection hold. This potent pairing allows a small amount of data to trigger a disproportionately large memory allocation on the server, which is then held indefinitely by the attacker, preventing the server from reclaiming resources.
Understanding the HTTP/2 Bomb Exploit
At the core of the HTTP/2 Bomb vulnerability lies HPACK, the header compression algorithm for HTTP/2. HPACK is designed to reduce the size of request and response headers using Huffman encoding, offering significant bandwidth savings. It was also engineered to be resistant to attacks like CRIME, which sought to leak sensitive information from compressed headers. However, the HTTP/2 Bomb circumvents these protections by manipulating how HPACK allocates memory.
The other component of the exploit draws inspiration from Slowloris, a type of DoS attack. Slowloris works by opening and maintaining numerous simultaneous HTTP connections to a target server. By keeping these connections open for extended periods, an attacker can exhaust the server’s available connection slots, preventing legitimate users from accessing the service. This specific attack vector targets the application layer.
The HTTP/2 Bomb is not entirely novel; it builds upon historical vulnerabilities. Researchers cite HPACK Bomb (CVE-2016-6581), first disclosed in 2016, as a precursor. Additionally, the exploit is informed by memory exhaustion flaws in Apache httpd’s HTTP/2 implementation (CVE-2025-53020) and earlier DoS issues in Apache HTTP Server related to crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546) within HTTP/2 connections.
What distinguishes the HTTP/2 Bomb is its unique amplification mechanism. While earlier “bomb” attacks involved stuffing large values into HPACK tables, which servers learned to cap, this new variant operates differently. Instead of large decoded sizes, the HTTP/2 Bomb leverages the server’s per-entry bookkeeping for nearly empty headers. This bypasses the decoded-size limits, as there is minimal data to decode, yet the server allocates significant memory for managing these entries. Calif. stated, “The deeper miss is that the spec frames memory risk purely as an amplification ratio, and ratio is only half the equation.”
The practical implications of this vulnerability are severe. A single attacker with a modest internet connection, such as a 100Mbps link, could potentially render a vulnerable server unresponsive within seconds. In a worst-case scenario, a single client can consume and retain approximately 32GB of server memory on Apache HTTPD and Envoy within about 20 seconds.
Mitigation Strategies for HTTP/2 Vulnerabilities
To address the HTTP/2 Bomb vulnerability, specific mitigation steps are recommended for different server platforms. For NGINX, the advised solution is to upgrade to version 1.29.8 or later, which introduces the `max_headers` directive, defaulting to 1000. If an upgrade is not feasible, disabling HTTP/2 entirely by setting `http2 off;` is an alternative.
Apache HTTPD users should upgrade to `mod_http2` version 2.0.41 or newer, where the vulnerability has been fixed. Alternatively, administrators can disable HTTP/2 by setting `Protocols http/1.1` in their configuration.
As of the latest reporting, there are no specific patches available for Microsoft IIS, Envoy, or Cloudflare Pingora. Users of these platforms are advised to monitor for official security advisories and updates from the respective vendors.
The core issue, as highlighted by Calif., is that HTTP/2 allows clients to maintain connections open with minimal overhead. This enables attackers to indefinitely “pin” server memory allocations, turning a theoretically harmless amplification ratio into a potent denial-of-service weapon. The long-term implications of this research point towards a need for more robust memory management and connection handling in HTTP/2 implementations, especially when dealing with variable or potentially malicious header manipulation.
The cybersecurity community awaits further vendor responses and potential patches for the affected servers. Organizations utilizing IIS, Envoy, or Cloudflare Pingora should prioritize monitoring official communications for any forthcoming mitigation guidance or security updates to protect their infrastructure from the HTTP/2 Bomb exploit.