HTTP/2 Bomb Vulnerability: DoS Risk on NGINX & Apache

HTTP/2 Bomb Vulnerability Hits Every Major Web Server

A newly disclosed HTTP/2 bomb vulnerability is putting virtually every major web server stack at risk of remote denial-of-service attacks. NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare are all confirmed affected. Attackers can trigger the vulnerability without authentication, sending carefully crafted HTTP/2 frames that cause servers to consume extreme amounts of memory or CPU until they crash or become unresponsive.

This is not a theoretical edge case. The attack surface is massive because HTTP/2 is the default protocol for most modern web infrastructure. If your stack accepts HTTP/2 connections from the internet, you need to pay attention right now.

How the HTTP/2 Bomb Attack Actually Works

HTTP/2 introduced multiplexing, header compression (HPACK), and flow control as performance features. The bomb vulnerability abuses these exact mechanisms. An attacker opens a connection and sends a flood of HEADERS frames with heavily compressed data. When the server decompresses these frames, a small payload expands dramatically in memory, much like a zip bomb works against file parsers.

The specific technique involves crafting CONTINUATION frames that chain together, bypassing server-side limits that only check individual frame sizes. Some variants also abuse SETTINGS frames to exhaust connection state tables. The result is that even a single low-bandwidth client can pin a server's CPU or exhaust heap memory within seconds. No exploit code, no authentication bypass required. Just a TCP connection and knowledge of the frame structure.

Affected versions span a wide range. The vulnerability touches implementations at the HTTP/2 protocol parsing layer, meaning patches must come from each vendor separately. Not all vendors have issued fixes simultaneously.

What Developers and Platform Teams Are Exposed To

Any public-facing service running HTTP/2 is potentially reachable. This includes APIs, web applications, load balancers, and edge proxies. If you run NGINX behind Cloudflare, you may have partial mitigation at the edge layer, but your origin server remains exposed to traffic that bypasses the CDN, internal tooling, or staging environments.

The denial-of-service impact means total service unavailability. Depending on your deployment, recovery may require manual intervention to restart crashed processes or clear memory pressure. For teams running autoscaling infrastructure, a sustained attack can trigger runaway scaling costs before the attack is even detected.

How to Protect Your Servers Against HTTP/2 Bomb Attacks

Patch immediately. Each affected vendor has either released or is releasing patches. Check the security advisories for your specific versions of NGINX, Apache httpd, IIS, and Envoy. Do not wait for your next scheduled maintenance window.

Where patching is not immediately possible, apply these mitigations:

• Limit CONTINUATION frames at the configuration level if your server version supports it.
• Set strict connection and stream timeouts to cut off slow or malformed HTTP/2 sessions early.
• Enable rate limiting on new HTTP/2 connections at your load balancer or firewall layer.
• Disable HTTP/2 entirely on internal services that do not require it. HTTP/1.1 is not affected by this specific attack vector.
• Monitor memory and CPU per connection with alerting thresholds so anomalous clients get blocked automatically.

Running a DAST scan against your public endpoints can help verify whether your patched configuration is actually enforcing the new limits. You can scan your application here to check your exposure.

Check the VibeWShield blog for related HTTP/2 security guidance as vendor advisories continue to roll out.

Q: Does Cloudflare protect me from the HTTP/2 bomb vulnerability automatically? Cloudflare has issued mitigations at the edge, but your origin server remains exposed to direct connections and internal traffic. Patch your origin regardless.

Q: Is HTTP/1.1 affected by this vulnerability? No. The attack relies on HTTP/2-specific features like HPACK compression and CONTINUATION frames. Downgrading to HTTP/1.1 on internal services eliminates this specific risk.

Q: How do I check if my NGINX version is patched? Review the official NGINX security advisories and compare your installed version. Run nginx -v to confirm your current build, then cross-reference with the patched release notes.

Run a free scan on your web application to check for HTTP/2 vulnerabilities and misconfigurations at VibeWShield.