New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
Cybersecurity researchers have uncovered a remote denial-of-service vulnerability named HTTP/2 Bomb that impacts major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The flaw resides in each server's default HTTP/2 configuration, making it exploitable without any special setup. The vulnerability was discovered by OpenAI Codex through chaining techniques, as reported by The Hacker News. Attackers can leverage this exploit to crash servers remotely, potentially disrupting services for millions of users. The affected servers power a significant portion of the internet, including content delivery networks, cloud platforms, and enterprise applications. While no CVE ID has been assigned yet, the researchers have disclosed the issue to the respective vendors. Administrators are advised to monitor for patches and consider mitigating measures such as rate limiting or disabling HTTP/2 if feasible. The discovery highlights the ongoing risks in core internet protocols and the importance of proactive security research.
Developers must patch default HTTP/2 configs to prevent remote server crashes.