HTTP/2 ‘bomb’ exploit can remotely DoS major web servers
Calif reported an HTTP/2 ‘bomb’ exploit can remotely deny service to NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora by abusing HPACK and flow control.
Security firm Calif reported a remote denial-of-service exploit called “HTTP/2 Bomb” that affects the default HTTP/2 configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora. Calif found the technique using OpenAI Codex by chaining a compression-bomb style attack against HPACK with a Slowloris-like connection hold.
HPACK is the header compression algorithm used by HTTP/2 to reduce the size of request and response metadata. The exploit sends many nearly empty header entries that force servers to allocate per-entry bookkeeping. Because the headers contain almost no decoded data, decoded-size limits do not trigger, but the bookkeeping allocations still consume significant memory. The attacker then uses a zero-byte flow-control window to prevent the server from freeing those allocations, keeping the memory pinned while the connection remains open.
Calif explained, ‘What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size. Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it.’ The firm added that clients can hold connections open at very low cost, allowing held memory to be used for an attack.
Calif estimated a single client can allocate and hold about 32GB of server memory against Apache HTTPD and Envoy in roughly 20 seconds. In a hypothetical test, a typical 100Mbps home connection could render a vulnerable server unavailable within seconds.
The issue follows earlier HPACK and HTTP/2 problems, including the HPACK Bomb disclosed in 2016 and a recent Apache HTTP/2 memory exhaustion flaw identified as CVE-2025-53020.
NGINX addressed the vulnerability in version 1.29.8 and later by adding a max_headers directive with a default limit of 1,000; operators who cannot upgrade can disable HTTP/2 with the ‘http2 off’ directive. Apache HTTPD fixed the issue in mod_http2 v2.0.41; administrators who cannot update the module can disable HTTP/2 by setting Protocols to http/1.1. At the time of Calif’s advisory, Microsoft IIS, Envoy and Cloudflare Pingora had no public patches available.
Network operators are advised to apply available updates, limit the number of simultaneous HTTP/2 streams and monitor for unusual connection patterns that could indicate attempts to hold flow-control windows open.
Articles by this author
