Codex Discovered a Hidden HTTP/2 Bomb
7 hours ago
- #Web Server Vulnerabilities
- #Denial-of-Service
- #HTTP/2 Security
- An HTTP/2 vulnerability named 'HTTP/2 Bomb' is disclosed, affecting major web servers like nginx, Apache, IIS, Envoy, and Cloudflare Pingora.
- The attack combines a compression bomb targeting HPACK header compression and a Slowloris-style hold using zero-byte flow control, allowing memory amplification.
- Exploits can cause severe denial-of-service: a home computer can render servers inaccessible in seconds, with some servers consuming up to 32GB memory in under 20 seconds.
- Vulnerability stems from servers not adequately limiting header counts, including cookie crumbs, and allowing stalled streams to pin memory indefinitely.
- Mitigations include upgrading to patched versions (e.g., nginx 1.29.8+), disabling HTTP/2, or implementing header count caps and memory limits.
- The flaw was discovered by Codex (AI), chaining known techniques, highlighting gaps in HTTP/2 specifications and human oversight in implementation.