HTTP/2 Bomb: remote DoS against NGINX, Apache, IIS, Envoy and Cloudflare

Colleagues—please note: a critical HTTP/2 vulnerability ("HTTP/2 Bomb") enables remote DoS of major web servers.
- Researchers (Calif) demonstrate an attack combining an HPACK “bomb” with zero‑window stream hold, causing repeated server allocations.
- Affected: NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora; a single client can exhaust tens of GB of memory.
- Mitigations: NGINX — upgrade to 1.29.8+ or disable HTTP/2; Apache — mod_http2 v2.0.41 or disable HTTP/2; no patches yet for IIS, Envoy or Cloudflare.
Why it matters: requires minimal traffic and can take services offline within seconds.
What will you do?
#cybersecurity #HTTP2 #DoS #NGINX


Latest comments
No comments yet.