Security researchers are warning of an issue with the default HTTP/2 configuration used by major web servers which reportedly survived more than a decade of human review before showing up in Codex-assisted analysis.
A flaw in the handling of the HTTP/2 protocol made a denial-of-service (DoS) attack possible on web servers including nginx, Apache HTTP server, Microsoft IIS, Envoy, and Cloudflare’s Pingora, according to security consultancy Calif.
HTTP/2 was introduced in 2015 to increase the speed of HTTP by allowing multiple simultaneous connections, and is gradually being superceded by HTTP/3, which is built on the new QUIC encrypted transport protocol. The problem uncovered by Calif lies in how affected servers handle HTTP/2 header compression and request processing, allowing an attacker to trigger disproportionate memory consumption.
“The attack chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold,” Calif CEO Thai Duong said in a blog post, calling the technique HTTP/2 Bomb. A search of Shodan revealed 880,000+ websites supporting HTTP/2 and running one of these servers, although many of these websites use a Content Delivery Network (CDN), which may add some complexity to the attack, he said.
Weaponizing a compression feature for DoS
The issue, tracked as CVE-2026-49975, involves HPACK, the header compression mechanism built into HTTP/2. Calif found that attackers can abuse the protocol’s dynamic header table in a way that forces servers to repeatedly allocate memory far beyond what would normally be expected from the size of incoming requests.
A relatively small amount of attacker-controlled traffic can trigger excessive memory allocations on the target server, Duong said.
“The bomb targets HPACK, HTTP/2’s header compression scheme: One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request,” he said. “The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.”
This isn’t the first time HTTP/2 was flagged for allowing DoS attacks. In 2019, multiple HTTP/2 denial-of-service vulnerabilities disclosed by Netflix affected numerous server implementations and prompted emergency patches across the ecosystem.
In October 2023, the protocol was disclosed to be prone to massive DDoS attacks owing to its stream multiplexing capability.
Duong recalled in the post how in 2012 he contributed to the discovery and patching of a flaw in HPACK, that back then was exploited by a different attack, CRIME. “I was too fixated on fighting CRIME and missed the Bomb,” he reflected.
Calif reported the flaw to all affected projects. nginx and Apache HTTP Server moved quickly to block the attack path, while Envoy patched on June 3. Microsoft IIS and Cloudflare’s Pingora had yet to release patches at the time of publication.
Admins will need to obtain the fixed versions of nginx (v1.29.8+) or Apache (mod_http2 v2.0.41), through the normal update channels used for these products. Envoy issued patches for versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
For organizations without a patch available to them, Calif recommended disabling HTTP/2 if possible, or “front the server with something that enforces a hard cap on header count per request.”