Cybersecurity researchers have uncovered a new denial-of-service (DoS) attack technique capable of overwhelming some of the world’s most widely used web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
The attack, dubbed HTTP/2 Bomb, exploits weaknesses in the default HTTP/2 implementations of multiple server platforms, allowing attackers to consume massive amounts of memory and potentially render services unavailable within seconds.
What Is HTTP/2 Bomb?
Security firm Calif revealed that the attack was initially identified by OpenAI Codex and combines two well-known techniques:
- A header compression bomb
- A Slowloris-style connection hold
By chaining these methods together, attackers can force servers to allocate large amounts of memory while preventing that memory from being released.
According to researchers, the attack specifically targets HPACK, the header compression mechanism used in the HTTP/2 protocol.
In a vulnerable scenario, a single byte of incoming traffic can trigger a full header allocation on the server side, and this process can be repeated thousands of times within a single request. Attackers then use HTTP/2 flow-control features to keep the connection open indefinitely, preventing the server from reclaiming the allocated memory.
Understanding HPACK and Slowloris
HPACK is the compression algorithm used by HTTP/2 to reduce the size of request and response headers. By using techniques such as Huffman encoding, HPACK typically reduces header sizes by around 30% while protecting against compression-related attacks like CRIME.
Slowloris, meanwhile, is a classic application-layer denial-of-service attack that works by opening numerous HTTP connections and keeping them active for as long as possible. This consumes server resources and can eventually prevent legitimate users from accessing the service.
HTTP/2 Bomb combines these concepts in a new way, creating a highly efficient memory exhaustion attack.
How the Attack Works
Researchers noted that previous HPACK-based attacks relied on inserting large amounts of data into compression tables and repeatedly referencing them. In response, server vendors implemented limits on decoded header sizes to mitigate the risk.
HTTP/2 Bomb bypasses these protections by taking a different approach.
Instead of using large headers, the attack sends nearly empty headers that still trigger significant memory allocations due to internal server bookkeeping requirements. Because the actual decoded header size remains small, traditional size-based protections never activate.
The result is a highly effective amplification technique that can consume enormous amounts of server memory with minimal network traffic.
Potential Impact
The consequences of a successful HTTP/2 Bomb attack can be severe.
Researchers estimate that:
- A home computer with a 100 Mbps internet connection could make a vulnerable server unavailable within seconds.
- A single attacker could consume and hold up to 32 GB of memory on vulnerable Apache HTTPD and Envoy servers in approximately 20 seconds.
- The attack requires relatively low bandwidth while causing disproportionate resource consumption on the target server.
Because HTTP/2 allows clients to maintain connections with minimal effort, attackers can keep allocated memory locked for extended periods, increasing the effectiveness of the attack.
Affected Platforms
The vulnerability affects several major web server technologies, including:
- NGINX
- Apache HTTP Server (HTTPD)
- Microsoft IIS
- Envoy Proxy
- Cloudflare Pingora
Researchers noted that the vulnerable behavior exists in the default HTTP/2 configuration of these platforms.
Available Mitigations
Organizations running affected services are advised to take immediate action.
NGINX
Administrators should upgrade to NGINX 1.29.8 or later, which introduces the new max_headers directive with a default limit of 1,000 headers.
If upgrading is not immediately possible, disabling HTTP/2 using:
http2 off;
can reduce exposure.
Apache HTTP Server
The issue has been addressed in mod_http2 v2.0.41.
Organizations unable to upgrade should consider disabling HTTP/2 by configuring:
Protocols http/1.1
Microsoft IIS, Envoy, and Cloudflare Pingora
At the time of disclosure, no official patches were available for these platforms.
Administrators should closely monitor vendor advisories and implement compensating controls where possible.
Why This Attack Is Different
Researchers believe the vulnerability highlights a broader issue in how HTTP/2 memory risks are evaluated.
Traditional defenses focus on limiting compression amplification ratios. However, HTTP/2 Bomb demonstrates that amplification alone is not the primary concern.
The real danger emerges when attackers can force memory allocations and then keep those allocations active indefinitely through persistent connections.
As a result, even moderate amplification can become a serious threat when the allocated memory remains pinned for extended periods.
Final Thoughts
The discovery of HTTP/2 Bomb serves as a reminder that protocol-level features can introduce unexpected attack surfaces when combined in novel ways.
Organizations using HTTP/2-enabled services should review their server configurations, apply available patches, and monitor vendor guidance for additional mitigations. Given the low bandwidth requirements and potentially devastating impact, this attack represents a significant threat to internet-facing infrastructure running vulnerable configurations.
