HTTP/2 Bomb: New Remote DoS Impacting Major Servers
🛡️ Cybersecurity researchers disclosed a remote denial-of-service exploit called HTTP/2 Bomb that affects major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The flaw leverages HPACK header compression combined with a zero-byte flow-control hold to amplify tiny on-wire headers into large server allocations. Vendors have released patches for some products and provided configuration mitigations for others while several popular implementations remain unpatched.
