New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

What happened

A new remote denial-of-service (DoS) vulnerability called HTTP/2 Bomb has been discovered in major web servers. The flaw affects default HTTP/2 configurations on NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare’s Pingora server. It was identified through an automated process involving OpenAI Codex, which found ways to chain protocol behaviors that cause servers to exhaust resources and crash.

Why it matters

This vulnerability exposes widely used internet infrastructure to remote DoS attacks without needing special permissions or misconfiguration. Because HTTP/2 is enabled by default, operators running popular web servers face increased risk of service outages simply by accepting normal traffic. This pressures web infrastructure teams to reevaluate HTTP/2 defense postures urgently and consider disabling or patching vulnerable servers. The issue also raises the cost of running HTTP/2 at scale, as mitigation may require more aggressive traffic filtering or additional server resources.

What to watch next

Watch for security patches from all affected server projects and updates from CDN providers like Cloudflare. Operators should monitor public vulnerability disclosures and test their HTTP/2 setups against exploit attempts once patches or mitigations are released. Expect increased scrutiny on default protocol configurations since the vulnerability emerged from “out of the box” settings. Longer term, HTTP/2 protocol design and implementation will come under pressure to harden against similar amplification methods.

AI Quick Briefs Editorial Desk