The HTTP/2 Bomb DoS attack is a newly discovered remote denial-of-service exploit that targets major web servers in their default HTTP/2 configurations, combining two long-known attack techniques into a practical server-crashing weapon. Researchers working with OpenAI’s Codex discovered the vulnerability, which affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single attacker on a 100Mbps home internet connection can render a vulnerable server inaccessible within seconds, with some platforms losing 32GB of memory in roughly 20 seconds.
Key Takeaways
- The HTTP/2 Bomb chains HPACK compression bombs with HTTP/2 flow-control stalls to exhaust server memory rapidly.
- A Shodan scan reportedly found over 880,000 exposed internet-facing servers vulnerable to this attack pattern.
- nginx version 1.29.8 and Apache mod_http2 v2.0.41 include patches; Microsoft IIS, Envoy, and Cloudflare Pingora remain unpatched.
- Each 1-byte indexed reference can trigger roughly 70 bytes of allocation on nginx and IIS, but up to 4,000 bytes on Apache and Envoy.
- Disabling HTTP/2 entirely is the recommended fallback mitigation for unpatched servers.
How the HTTP/2 Bomb DoS Attack Works
The HTTP/2 Bomb DoS attack exploits two distinct vulnerabilities chained together. First, an attacker seeds the server’s dynamic HPACK compression table with a single header entry, then floods the connection with thousands of 1-byte indexed references pointing back to that entry. The server allocates memory for each reference—roughly 70 bytes on nginx, IIS, and Pingora, but approximately 4,000 bytes on Apache httpd and Envoy. One byte sent by the attacker becomes one full header allocation on the server, according to researchers at Calif.
The second component weaponizes HTTP/2 flow control. The attacker advertises a zero-byte flow-control window, which prevents the server from ever finishing its response and freeing the allocated memory. To keep the connection alive and reset idle timeouts, the attacker sends 1-byte keep-alive frames that maintain the stall indefinitely. The combination is devastating: memory consumption climbs without interruption, and the server cannot garbage-collect or close the connection fast enough to recover.
Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in about 20 seconds. This speed matters operationally—system administrators cannot react quickly enough to block the attacker before the server becomes unresponsive or crashes. The vulnerable behavior exists in each server’s default HTTP/2 configuration, meaning no special setup or non-standard settings are required for the attack to succeed.
Which Web Servers Are Affected and Patched
The HTTP/2 Bomb DoS attack affects five major web server platforms, but patch status varies significantly. nginx released version 1.29.8 with a new max_headers directive defaulting to 1000, which limits the number of headers an HTTP/2 connection can consume. Apache httpd shipped a fix in mod_http2 v2.0.41 and assigned the vulnerability CVE-2026-49975. Both patches address the root cause by enforcing strict header-count limits that prevent the HPACK bombing phase.
Microsoft IIS, Envoy, and Cloudflare Pingora had not released patches at the time of disclosure. For these platforms, administrators cannot immediately patch and must rely on workarounds. Placing an unpatched server behind a reverse proxy or firewall that enforces hard per-request header-count limits offers only partial protection, since the attack can still succeed if the intermediary’s limits are not strict enough. This creates an urgent operational problem for organizations running unpatched deployments at scale.
Immediate Mitigation: Disabling HTTP/2
The recommended fallback mitigation across all affected servers is to disable HTTP/2 entirely until patches are applied. On nginx, administrators can add http2 off; to their configuration. On Apache httpd, setting Protocols http/1.1 disables HTTP/2 and forces the server to use HTTP/1.1 instead. This approach eliminates the attack surface entirely, though it comes at a performance cost—HTTP/2 multiplexing and header compression provide real benefits for modern web applications.
The tradeoff between security and performance is stark. Reverting to HTTP/1.1 may increase latency and bandwidth consumption for users, particularly on slower connections or high-latency networks. However, a live server is more valuable than a fast one that is offline. Organizations should treat HTTP/2 disablement as a temporary emergency measure while waiting for official patches, then re-enable HTTP/2 once vendor updates are deployed and tested.
Why AI Discovered This Attack First
OpenAI’s Codex identified this vulnerability by recognizing a novel combination of two older, well-understood attack concepts: compression bombs and Slowloris-style connection holds. Neither technique is new individually—compression bombs have existed for decades, and Slowloris attacks date back to 2009. What made this discovery notable is that Codex synthesized these ideas into a practical, devastating exploit chain that no human researcher had previously documented as a cohesive attack against HTTP/2 servers. The discovery highlights both the power and the risk of AI-assisted security research: machine learning can identify novel attack paths faster than manual analysis, but those discoveries must be responsibly disclosed to vendors before public disclosure.
Scale of Exposure
A Shodan scan cited in secondary coverage reportedly identified over 880,000 internet-facing servers exposed to this attack pattern. This figure represents a snapshot of publicly visible HTTP/2 servers at the time of scanning and should be treated cautiously—not all of those servers are necessarily vulnerable, and some may already be patched or mitigated by the time readers encounter this article. However, the scale underscores the operational urgency: even if only a small percentage of those servers remain unpatched, the number of affected systems is substantial enough to warrant immediate action by system administrators and security teams.
Is the HTTP/2 Bomb DoS attack the same as earlier compression bomb attacks?
No. Earlier compression bomb attacks targeted individual decompression operations, while the HTTP/2 Bomb combines HPACK compression abuse with HTTP/2 flow-control manipulation to create a memory-exhaustion stall. The novelty is the chaining of two techniques into a practical exploit that affects production servers in default configurations.
Can a firewall or reverse proxy fully protect unpatched servers from the HTTP/2 Bomb DoS attack?
Only partially. A reverse proxy or firewall that enforces strict per-request header-count limits can reduce the attack’s effectiveness, but this protection is incomplete unless the limits are extremely aggressive. Full protection requires either patching the underlying server or disabling HTTP/2 entirely.
What should organizations do if they cannot patch immediately?
Disable HTTP/2 by reverting to HTTP/1.1 until patches are available and tested. On nginx, add http2 off; to your configuration. On Apache, set Protocols http/1.1. This eliminates the attack surface at the cost of some performance. Monitor vendor advisories for patch releases and plan a re-enablement window once updates are deployed.
The HTTP/2 Bomb DoS attack demonstrates that AI-assisted security research can uncover critical vulnerabilities faster than traditional methods, but it also underscores the importance of rapid vendor response and clear mitigation guidance. System administrators should treat this as an urgent priority: audit your web server versions, apply patches where available, and disable HTTP/2 on unpatched systems until official fixes are deployed. The difference between a protected infrastructure and a compromised one may be just a configuration change away.
Edited by the All Things Geek team.
Source: TechRadar
