VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

HTTP/2 Bomb: remote DoS against NGINX, Apache, IIS, Envoy and Cloudflare

HTTP/2 Bomb: новая уязвимость позволяет удалённый DoS на NGINX, Apache, IIS, Envoy и Cloudflare

Colleagues—please note: a critical HTTP/2 vulnerability ("HTTP/2 Bomb") enables remote DoS of major web servers.
- Researchers (Calif) demonstrate an attack combining an HPACK “bomb” with zero‑window stream hold, causing repeated server allocations.
- Affected: NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora; a single client can exhaust tens of GB of memory.
- Mitigations: NGINX — upgrade to 1.29.8+ or disable HTTP/2; Apache — mod_http2 v2.0.41 or disable HTTP/2; no patches yet for IIS, Envoy or Cloudflare.
Why it matters: requires minimal traffic and can take services offline within seconds.
What will you do?
#cybersecurity #HTTP2 #DoS #NGINX

Latest comments

No comments yet.