HTTP/2 Bomb — one home PC drains 32GB of server RAM in 20 seconds
TL;DR
HTTP/2 Bomb: one home PC at 100Mbps can drain 32GB on Apache HTTPD or Envoy in 20 seconds. NGINX, IIS, Envoy and Cloudflare Pingora are all vulnerable in default config.
Discovered by OpenAI Codex, disclosed by security firm Calif. Affected: NGINX, Apache HTTPD, Microsoft IIS, Envoy, Cloudflare Pingora — all default-configuration vulnerable.
Mechanism: combines two known techniques — HPACK compression bomb + Slowloris connection holding. HPACK is HTTP/2's header compression scheme. The attacker sends nearly-empty headers, but each entry triggers per-entry bookkeeping memory allocation on the server — bypassing the «decoded size» limits each server has, since there's almost nothing to decode. Then HTTP/2's zero-byte flow-control window holds the connection, preventing the server from freeing any allocated memory. Result: a single 100Mbps home connection brings down a server within seconds. Apache HTTPD and Envoy eat 32GB in 20 seconds.
Patch status. NGINX: upgrade to 1.29.8+; can't upgrade — turn off HTTP/2 (
via The Hacker News
Mechanism: combines two known techniques — HPACK compression bomb + Slowloris connection holding. HPACK is HTTP/2's header compression scheme. The attacker sends nearly-empty headers, but each entry triggers per-entry bookkeeping memory allocation on the server — bypassing the «decoded size» limits each server has, since there's almost nothing to decode. Then HTTP/2's zero-byte flow-control window holds the connection, preventing the server from freeing any allocated memory. Result: a single 100Mbps home connection brings down a server within seconds. Apache HTTPD and Envoy eat 32GB in 20 seconds.
Patch status. NGINX: upgrade to 1.29.8+; can't upgrade — turn off HTTP/2 (
http2 off;). Apache: mod_http2 v2.0.41 patched; or set Protocols http/1.1. IIS, Envoy, Cloudflare Pingora: no patch yet.via The Hacker News
