HTTP/2 Bomb: One Client Can Exhaust a Web Server's Memory in Seconds

A single laptop on home broadband can now take a web server offline if it runs NGINX, Apache, IIS, Envoy or Cloudflare Pingora. The technique, disclosed on 2 June and named HTTP/2 Bomb, needs no botnet and no credentials. It abuses how these servers handle HTTP/2 by default, and roughly 880,000 public-facing servers were exposed when the research went live.

What Happened

Researchers at Calif published the exploit after it was found by OpenAI's Codex, which combined two attacks that have been public for a decade: an HPACK compression bomb and a Slowloris-style connection hold. HTTP/2 compresses repeated headers, so one byte sent by the attacker can force the server to allocate a full header in memory, thousands of times over in a single request. A zero-byte flow-control window then stops the server releasing any of that memory, while the attacker drips tiny update frames to keep the connection alive. Against Apache httpd and Envoy, one client can pin around 32GB of server memory in roughly 20 seconds; NGINX and IIS sit at a lower but still damaging 70-to-one amplification.

Why It Matters

Most Australian organisations run at least one of the affected servers somewhere in their estate, often without realising HTTP/2 is switched on by default. The attack does not steal data; it removes availability, and an outage that costs an attacker almost nothing to launch is a real threat to online retailers, healthcare providers and government services. Denial-of-service activity has been climbing for years, and a repeatable memory-exhaustion attack that any capable AI model can rebuild from a public patch lowers the barrier further still.

What Security Teams Should Do Now

• Find every web server, reverse proxy and load balancer in your environment and confirm which ones have HTTP/2 enabled by default.

• Patch where fixes exist: NGINX 1.29.8 or later, which adds the max_headers directive, Apache via mod_http2 2.0.41, and Envoy's 3 June security advisory.

• Where no patch exists yet, including Microsoft IIS and Cloudflare Pingora, disable HTTP/2 or front the service with a proxy that caps the number of header fields per request.

• Cap per-worker memory with cgroups, ulimit or container limits so a flooded worker is killed and respawned before it drags the whole host into swap.

• Confirm whether your CDN terminates HTTP/2 at the edge and absorbs this traffic, rather than assuming it does.

• Add resource-exhaustion and denial-of-service cases to your next penetration testing scope, alongside the usual authentication and injection checks.

Aurian's Take

This vulnerability is a sign of where offensive research is heading. Both halves of the attack had been documented for ten years, yet no human had connected them against these servers until an AI model read the code and saw that they compose. The same speed cuts the other way: once a fix commit is public, the diff itself becomes a roadmap, and the gap between a patch landing and a working exploit appearing is now measured in hours rather than weeks. Organisations that wait for a quiet maintenance window to apply infrastructure patches are working to a timeline attackers no longer respect.

Regular penetration testing exists for exactly this reason. A point-in-time scan tells you what was unpatched last quarter; a proper security assessment looks at how your services behave under hostile conditions, including the resource-exhaustion and availability attacks that automated scanners routinely miss. At Aurian, we treat denial-of-service resilience and configuration review as part of a full picture of exposure, because an attacker who cannot read your data can still take you offline. Knowing which of your servers speak HTTP/2, and how they hold up when someone abuses it, is the kind of question a security assessment should answer before an attacker does.

HTTP/2 Bomb will not be the last vulnerability an AI model finds by reading source code that people wrote years ago. Knowing where you are exposed, and fixing it before someone else does, is the difference between a patched server and a public outage.

To find out how Aurian can help your organisation assess its exposure, get in touch.