Meta News

Topic Cybersecurity

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Summary: Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining

By MSB

A newly disclosed vulnerability dubbed HTTP/2 Bomb is raising concerns across the cybersecurity community after researchers revealed that it can be exploited to trigger powerful denial-of-service (DoS) attacks against servers and applications that support the HTTP/2 protocol. The flaw highlights how even widely adopted internet technologies can contain architectural weaknesses that attackers may leverage to exhaust system resources and disrupt online services.

HTTP/2 was introduced to improve the performance and efficiency of web communications, offering features such as multiplexing, header compression, and the ability to handle multiple requests simultaneously over a single connection. These enhancements have helped modern websites load faster and operate more efficiently. However, the same mechanisms designed to improve performance can sometimes be abused in unexpected ways.

According to researchers, the HTTP/2 Bomb vulnerability allows attackers to generate a disproportionate amount of work for a target server using relatively limited resources. By crafting specially designed requests, an attacker can force servers to allocate excessive memory or processing power, potentially leading to service degradation, application crashes, or complete denial-of-service conditions.

What makes the issue particularly concerning is the amplification effect. Traditional denial-of-service attacks often require large amounts of traffic to overwhelm a target. In contrast, protocol-level attacks such as HTTP/2 Bomb can achieve significant impact with comparatively small volumes of traffic because they exploit the internal behavior of the protocol itself. This lowers the barrier to entry for attackers while making mitigation more challenging.

The disclosure follows a series of recent discoveries involving HTTP/2 and other modern web protocols. As internet infrastructure becomes more sophisticated, attackers continue searching for ways to abuse legitimate protocol features rather than relying solely on brute-force techniques. These attacks often target the assumptions made by protocol designers, creating situations where servers perform far more work than intended in response to seemingly valid requests.

Security experts note that the vulnerability could affect a broad range of environments because HTTP/2 is widely supported across web servers, cloud platforms, content delivery networks, reverse proxies, and enterprise applications. Organizations that rely on internet-facing services may therefore need to evaluate their exposure and ensure that available mitigations and updates are applied promptly.

The incident underscores an important challenge in modern cybersecurity: performance optimization and security are often closely interconnected. Features that improve speed, scalability, and efficiency can sometimes introduce unexpected attack surfaces that only become apparent after years of real-world deployment and analysis.

Cloud providers and infrastructure vendors have become increasingly focused on defending against protocol abuse attacks, particularly as cybercriminals seek more efficient methods for disrupting online services. Recent years have seen a growing number of attacks that exploit the logic of network protocols rather than simply overwhelming targets with massive amounts of traffic.

For organizations, the discovery serves as another reminder that denial-of-service threats continue to evolve. Effective defense requires more than bandwidth and traffic filtering. Security teams must also understand how protocols behave under abnormal conditions and ensure that infrastructure can withstand attempts to exploit legitimate features in unintended ways.

While patches and mitigations are being developed and distributed, the emergence of HTTP/2 Bomb illustrates how foundational internet technologies remain attractive targets for security researchers and attackers alike. As businesses continue to depend on always-available digital services, even subtle protocol-level vulnerabilities can have far-reaching consequences.

The discovery reinforces a broader lesson for the industry: cybersecurity is not only about protecting software from bugs but also about understanding how complex systems behave under stress. As protocols evolve and new features are introduced, maintaining resilience against creative forms of abuse will remain a critical priority for organizations worldwide.

Key facts

  • A new remote denial-of-service exploit called HTTP/2 Bomb has been discovered
  • The vulnerability affects major web servers such as NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora
  • The exploit targets the default HTTP/2 configuration of these servers
  • OpenAI Codex was used to discover the vulnerability

Why it matters

The widespread adoption of the affected web server software means that this HTTP/2 Bomb vulnerability could potentially impact a significant portion of internet infrastructure. Organizations relying on these servers for web services face an elevated risk of denial-of-service attacks, necessitating prompt patching and configuration review to maintain service availability and security.

Tags:
HTTP/2 Denial-of-Service Web Servers NGINX Apache IIS Cloudflare

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: NGINX, Apache HTTPD, Microsoft IIS, Envoy, Cloudflare Pingora, OpenAI Codex

Source: https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html

Published on