A newly discovered denial-of-service exploit affects major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora, and the vulnerability can consume massive amounts of server memory in seconds.
The HTTP/2 Bomb denial of service vulnerability was discovered by Calif using OpenAI Codex, and the exploit chains together two known techniques including a compression bomb and a Slowloris-style hold.
The vulnerability exists in each server's default HTTP/2 configuration, and a single client on a 100Mbps connection can render a vulnerable server inaccessible within seconds.
How HTTP/2 Bomb Works
The HTTP/2 Bomb denial of service vulnerability targets HPACK which is HTTP/2's header compression scheme.
In a classic HPACK bomb, one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request, and servers learned to cap the total decoded header size.
The HTTP/2 Bomb denial of service variant goes the other way, the header is nearly empty, and the amplification comes from the per-entry bookkeeping that the server allocates around it, and the decoded-size limit never fires because there is almost nothing to decode.
The Slowloris Component
The second component of the HTTP/2 Bomb denial of service vulnerability is a zero-byte flow-control window that keeps the server from ever freeing any of the allocated memory.
Slowloris is a classic denial-of-service technique where an attacker opens many connections and holds them open slowly, and the HTTP/2 Bomb denial of service uses a similar hold technique.
The combination of the HPACK bomb and the Slowloris hold means the server allocates memory for each header entry and never frees it.
The Memory Impact
The HTTP/2 Bomb denial of service vulnerability has devastating memory consumption characteristics.
A single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds, and this is enough to crash any server with typical memory limits.
The HTTP/2 Bomb denial of service vulnerability works because the per-entry bookkeeping memory is pinned for the duration of the connection, and the attacker can hold the connection open almost for free.
Affected Web Servers
1. The HTTP/2 Bomb denial of service vulnerability affects all major web servers in their default HTTP/2 configurations.
2. NGINX is vulnerable, and the fix is available in version 1.29.8 or later.
3. Apache HTTPD is vulnerable, and the fix is available in mod_http2 version 2.0.41 or later.
4. Microsoft IIS is vulnerable, and no patch is available as of the time of writing.
5. Envoy is vulnerable, and no patch is available as of the time of writing.
6. Cloudflare Pingora is vulnerable, and no patch is available as of the time of writing.
The HTTP/2 Bomb denial of service vulnerability is widespread, and many servers remain unprotected.
Why Previous Defenses Fail
Previous defenses against HPACK bombs focused on limiting the total decoded header size, but the HTTP/2 Bomb denial of service vulnerability bypasses this defense.
Because the header is nearly empty, the decoded size never exceeds any limit, and the attack is not detected.
Calif explained that the classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size, but their variant goes the other way, the header is nearly empty, and the amplification comes from the per-entry bookkeeping.
The Attack Scenario
In a hypothetical attack scenario, a home computer on a 100Mbps connection has the potential to render a vulnerable server inaccessible within seconds.
The attacker sends a series of HTTP/2 requests with nearly empty headers that trigger per-entry bookkeeping allocations, and the zero-byte flow-control window holds the memory indefinitely.
The HTTP/2 Bomb denial of service attack requires very little bandwidth from the attacker, and a single client can take down a large server.
NGINX mitigations
NGINX has patched the vulnerability of HTTP2 bomb DoS (Denial of Service). Users are recommended to update the NGINX version to at least 1.29.8 to obtain the maximum headers setting, Max Headers directive has been introduced with a default value of 1000 for all supported configurations.
For users unable to upgrade, they can deactivate the HTTP2 feature by including the http2 off; directive within the NGINX configuration.
The Apache HTTPD mitigation
Apache HTTPD has provided a patch for the HTTP2 bomb DoS vulnerability. This fix is included in Mod_HTTP2 version 2.0.41; users are encouraged to update their Apache HTTPD installation if at all possible.
If users cannot update their installation, they can disable the HTTP2 functionality using the Protocols http/1.1; directive in their Apache HTTPD configuration.
IIS, Envoy, and Pingora are currently unpatched
There are no patches available for the HTTP2 bomb DoS vulnerability from Microsoft IIS, Envoy, or Cloudflare Pingora at this time of writing.
Administrators using these servers should consider disabling HTTP/2 until patches are available, and this may impact performance but is safer than remaining vulnerable.
The HTTP/2 Bomb denial of service vulnerability is actively disclosed, and attackers may develop exploits soon.
The Specification Gap
Calif noted that the deeper issue is that the HTTP/2 specification frames memory risk purely as an amplification ratio, and ratio is only half the equation.
A 70 to 1 amplifier is harmless if the memory is freed when the request completes, but it becomes an attack because HTTP/2 lets the client hold the connection open almost for free, pinning every allocated byte for as long as they like.
The HTTP/2 Bomb denial of service vulnerability exposes a fundamental flaw in how HTTP/2 handles memory allocation and connection holding.
The Role of OpenAI Codex
The HTTP/2 Bomb denial of service vulnerability was discovered by Calif using OpenAI Codex.
The fact that Codex can assist in vulnerability discovery is significant, and subsequent to demonstrating such capability raises questions regarding the direction(s) of future vulnerability research.
In this case, the researchers used the HPACK bomb, which is a known attack technique, with the Slowloris hold (also known as a well-known denial-of-service technique), the use of which was identified through Codex's assistance.
Ways to Safeguard Your Servers
Take immediate steps to address the HTTP/2 bomb DoS vulnerability.
1. NGINX: Upgrade to at least v1.29.8 so that you have access to the new max_headers setting which limits the number of headers that may be sent with any request.
2. Apache HTTPD mod_http2: Upgrade to at least v2.0.41 so that you will have the fix for the HTTP/2 bomb DoS vulnerability
3. IIS, Envoy & Pingora: Disable HTTP/2 while waiting for patches. Disabling HTTP/2 is the only option for protection until patches are published
4. Monitor for memory consumption. HTTP/2 Bomb DoS attacks exploit memory exhaustion, so monitoring will also help identify DoS activity.
5. Use a reverse proxy with mitigations. If your web server cannot be patched, place a patched reverse proxy (like a patched NGINX) in front of it.
Final Thoughts
The HTTP/2 Bomb denial of service vulnerability is a creative combination of two known techniques.
The HPACK compression bomb provides the memory amplification, and the Slowloris hold keeps the memory pinned indefinitely, and together they can consume 32GB of server memory in 20 seconds.
The HTTP/2 Bomb denial of service vulnerability affects every major web server, and patches are only available for NGINX and Apache HTTPD.
If you run a web server, check your HTTP/2 configuration today, upgrade if possible, disable HTTP/2 if not, and monitor your memory usage.
The HTTP/2 Bomb denial of service vulnerability shows that even well-known protocols can have hidden attack surfaces.
FAQ Section
What is the HTTP/2 Bomb denial of service vulnerability?
The HTTP/2 Bomb denial of service vulnerability chains a nearly-empty HPACK header (triggering per-entry bookkeeping allocations) with a zero-byte flow-control window (holding memory indefinitely), consuming 32GB of server memory in seconds.
Which web servers are affected by this vulnerability?
NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora are all affected in their default HTTP/2 configurations.
Is there a patch available for NGINX and Apache?
Yes, NGINX 1.29.8 adds the max_headers directive, and Apache mod_http2 2.0.41 includes a fix, users of IIS, Envoy, and Pingora should disable HTTP/2 until patches are available.
How much memory can a single attacker consume?
A single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds.
Why do previous HPACK defenses fail against this attack?
Previous defenses cap the total decoded header size, but this attack uses nearly empty headers, so the decoded size never exceeds any limit, and the amplification comes from per-entry bookkeeping instead of decoded data.
