An independent researcher (using OpenAI’s Codex) discovered and publicly released “HTTP/2 Bomb,” a remote denial-of-service attack that works against the default configurations of nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare’s Pingora. The attack chains an HPACK header-compression bomb with a zero-byte flow-control window (Slowloris-style hold).
A single client can force a server to allocate and permanently lock tens of gigabytes of RAM—one byte on the wire expands into a full header allocation, repeated thousands of times. Memory remains locked even after the attack stops, enabling low-and-slow campaigns. A home computer on a 100 Mbps link can render a vulnerable server inaccessible in seconds; a botnet of only 10–100 bots can take down large services.
Shodan shows more than 880,000 public HTTP/2 sites running affected software (many behind CDNs). The researcher filed an advisory on May 27 and published full details on June 2, drawing criticism for skipping coordinated multi-vendor disclosure through VINCE. Envoy fixed the issue quickly, but the short embargo and public PoC were widely viewed as irresponsible.