A critical HTTP/2 vulnerability dubbed 'HTTP/2 Bomb' has been discovered, affecting major web servers including nginx, Apache, IIS, Envoy, and Cloudflare Pingora. The exploit combines a compression bomb with a Slowloris-style attack to amplify small requests into massive memory consumption, with some servers being brought down in seconds. The vulnerability exists in default configurations and affects over 880,000 websites, though CDNs provide some mitigation.
Background
HTTP/2 is the second major version of the HTTP network protocol, widely adopted for web communication. It includes header compression (HPACK) to improve performance, but this feature has been exploited in the newly discovered attack.
- Source
- Lobsters
- Published
- Jun 3, 2026 at 04:03 AM
- Score
- 9.0 / 10