← All articles

HTTP/2 Bomb: single 100Mbps client crashes NGINX, Apache, IIS, Envoy, Cloudflare Pingora in seconds - found by OpenAI Codex agent

Offensive-security firm Calif, with discovery work performed by OpenAI's Codex software agent, has disclosed HTTP/2 Bomb, a denial-of-service attack that crashes web servers from a single machine in seconds. It works against default HTTP/2 configurations of NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. The technique combines HPACK header-compression amplification (one attacker byte triggering thousands of bytes of server allocation, up to 5,700:1 on Envoy) with Slowloris-style flow-control stalling via zero-byte windows that prevents the memory from ever being freed. A home computer on a 100 Mbps link can force Apache or Envoy to hold 32 GB of RAM in roughly 20 seconds, bypassing existing header-size defenses.

Check
Inventory internet-facing web servers and proxies running HTTP/2 (NGINX, Apache, IIS, Envoy, Cloudflare Pingora). Monitor for sudden per-connection memory spikes and stalled HTTP/2 streams with zero-window flow control.
Affected
Default HTTP/2 configurations of NGINX, Apache, IIS, Envoy, and Cloudflare Pingora. A single 100 Mbps client can hold 32 GB of server RAM in ~20 seconds, bypassing header-size limits.
Fix
Apply vendor HTTP/2 patches and mitigations as released. Cap per-connection memory and concurrent streams, enforce flow-control timeouts, and rate-limit HTTP/2 connections. Consider disabling HTTP/2 on exposed servers until patched.