Cybersecurity researchers said in a technical analysis from Calif that a new remote denial-of-service flaw called HTTP/2 Bomb can affect NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora, with some vulnerable servers able to become inaccessible within seconds.
KEY FACTS
- Affected software NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora
- Attack method The flaw combines HPACK header compression abuse with a Slowloris-style connection hold
- Impact A single client could consume and hold 32GB of memory against Apache HTTPD and Envoy in about 20 seconds
- Mitigations NGINX and Apache HTTPD have fixes or configuration workarounds, while no patch was listed for IIS, Envoy or Pingora
The disclosure said the vulnerable behavior exists in default HTTP/2 configurations. It described a method in which one byte on the wire can trigger a much larger server allocation, while the connection stays open and prevents memory from being freed.
Researchers said the attack differs from older HPACK bombs because the amplification comes from per-entry bookkeeping rather than large decoded headers. That means size limits on decoded data may not stop the issue because there is little data to decode.
In the scenario described, a home computer on a 100Mbps connection could knock a vulnerable server offline quickly. The report also said the same client traffic could pin large amounts of memory on affected servers for extended periods.
For NGINX, the suggested fix is version 1.29.8 or later, which adds a max_headers setting with a default limit of 1000. For Apache HTTPD, the report points to mod_http2 v2.0.41 and says HTTP/2 can be disabled by setting Protocols http/1.1 if upgrading is not possible.
No patch was listed for Microsoft IIS, Envoy or Cloudflare Pingora at the time of the disclosure. Calif said the issue shows that memory risk depends not only on amplification ratios but also on whether connections can keep allocated memory pinned.
WHY IT MATTERS
The flaw could let a small number of connections disrupt widely used web infrastructure without needing much bandwidth. That makes HTTP/2 configuration and memory handling important for operators that rely on the affected servers.