HTTP/2 Bomb: A Critical Flaw Shakes the Foundations of the Web

· HTTP/2, cybersécurité, faille, serveurs web, DoS

HTTP/2 Bomb: A Critical Flaw Shakes the Foundations of the Web

A major flaw, HTTP/2 Bomb, has been revealed, affecting major web servers and allowing denial-of-service attacks. Patches are available, but temporary measures may be necessary.

HTTP/2 Bomb: A Critical Flaw Shakes the Foundations of the Web

A major vulnerability, dubbed HTTP/2 Bomb, has just been revealed. It affects the main web servers, supporting nearly [percentage not specified in sources] of global internet traffic. NGINX, Apache HTTPD, Microsoft Internet Information Services (IIS), Envoy, and Cloudflare Pingora are all affected. This flaw allows remote denial-of-service attacks, capable of paralyzing entire infrastructures in seconds.

The discovery was made by OpenAI Codex. Their analysis shows that the default configuration of the HTTP/2 protocol, used to accelerate exchanges on the web, contains an exploitable flaw. No authentication is required to trigger the attack. Simply sending malicious requests is enough to saturate the targeted servers.

Technical Mechanism: When Compression Becomes a Weapon

HTTP/2 Bomb combines two known but rarely associated techniques. The first relies on a compression bomb. Attackers send highly compressible data that, once decompressed by the server, occupies disproportionate memory. The second technique is inspired by Slowloris, an attack that keeps a large number of simultaneous connections open.

In this case, the attacker sends HTTP/2 requests containing compressed headers. These headers, once decompressed, generate excessive memory load. The server, overwhelmed, allocates resources until exhaustion. The vulnerable behavior exists in each server's default HTTP/2 configuration. The connections remain active, preventing the processing of legitimate requests. Result: the service becomes inaccessible, sometimes in less than ten seconds.

NGINX and Apache limit the number of simultaneous streams. Microsoft IIS and Envoy apply stricter memory thresholds. However, they all share a common vulnerability: the lack of protection against this specific combination of compression and connection maintenance.

A Potentially Devastating Impact for Users and Businesses

The consequences of this flaw go beyond the technical framework. A successful denial-of-service attack can make websites, applications, or cloud services unavailable. For businesses, this means immediate financial losses. An e-commerce site offline for an hour can lose thousands of euros. Critical platforms, such as banking services or health systems, could become prime targets.

End users also suffer the repercussions. An inaccessible service can block access to essential information. Attacks targeting government infrastructures or media could disrupt vital communications. The growing dependence on digital amplifies the risks. A prolonged outage could cause panic, especially if it affects multiple services simultaneously.

Hosting providers and cloud providers are on the front line. Giants like Amazon Web Services (AWS), Google Cloud, or Microsoft Azure heavily use NGINX and Envoy. A successful attack on their infrastructure could have a domino effect. Thousands of hosted sites and services would become inaccessible. Trust in the cloud, already weakened by past incidents, would take another hit.

Emergency Measures and Patches: How to Protect Yourself

The publishers of the affected servers have reacted quickly. Patches are already available for NGINX, Apache, and Envoy. Microsoft has released an update for IIS. Cloudflare, which uses Pingora, has also deployed a solution. System administrators must apply these patches without delay. A simple update may be enough to neutralize the threat.

For those who cannot update immediately, temporary measures exist. Disabling HTTP/2 is an option, although it reduces performance. Another solution is to limit the number of simultaneous streams or adjust the thresholds of allocated memory. These adjustments can mitigate the impact of an attack but do not eliminate it completely.

Companies must also monitor their network traffic. Anomaly detection tools can spot exploitation attempts. Web application firewalls (WAF) can block suspicious requests. A multi-layered approach, combining patches, monitoring, and filtering, offers the best protection.

End users are not completely helpless. They can check if the sites they frequent have applied the patches. Browser extensions, such as HTTP/2 Indicator, can tell if a site uses HTTP/2. In case of doubt, disabling this feature in the browser settings reduces the risks.

A Flaw Revealing the Limits of Standardization

HTTP/2 Bomb highlights a recurring issue in cybersecurity. Standardized protocols, such as HTTP/2, are designed to improve performance. Their massive adoption makes them prime targets. However, their increasing complexity raises the risk of vulnerabilities. Default configurations, optimized for ease of use, become weak points.

Web server publishers have often prioritized compatibility and performance. Security, although considered, has not always been the absolute priority. This flaw reminds us that design choices can have unforeseen consequences. A seemingly innocuous feature, such as header compression, can become an attack vector.

The discovery of HTTP/2 Bomb also raises questions about the automation of cybersecurity research. Tools like OpenAI Codex, used to identify this flaw, demonstrate the potential of artificial intelligence. But they also pose ethical challenges. Who is responsible if an AI discovers an exploitable vulnerability? How should the disclosure of such information be managed?

Conclusion: towards an endless race between attackers and defenders

HTTP/2 Bomb is not an isolated flaw. It is part of a larger trend: the increase in denial-of-service attacks. In 2025, these attacks increased by 40% compared to the previous year. Cybercriminals are refining their techniques, exploiting increasingly subtle vulnerabilities.

This flaw reminds us of a fundamental truth. The internet relies on complex technologies, often designed without anticipating future threats. The fixes applied today do not guarantee tomorrow's security. Attackers will adapt their methods, finding new vulnerabilities to exploit.

For businesses and users, vigilance remains the best defense. Applying updates, monitoring network traffic, and adopting a proactive approach to cybersecurity are imperatives. Software publishers, for their part, must integrate security from the design stage. Future protocols will need to be more resilient, even at the cost of slightly reduced performance.

The discovery of HTTP/2 Bomb marks a turning point. It shows that even the most widespread technologies are not immune. In an increasingly connected world, security can no longer be an option. It must become an absolute priority at every level of the digital chain.

Key Points

  • A major vulnerability, HTTP/2 Bomb, has been revealed.
  • It affects major web servers such as NGINX, Apache, IIS, Envoy, and Cloudflare.
  • This flaw allows remote denial-of-service attacks.
  • Patches are available for the affected servers.
  • Temporary measures can mitigate the impact of attacks.

Sources

  1. The Hacker News - "New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare". (secondary)
  2. SecurityWeek - "‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds". (secondary)

Transparency: 2 sources (0 primary, 2 secondary). Verification: June 3, 2026.

Truthyx - June 3, 2026