All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Codex Publishes HTTP/2 Bomb: Remote DoS Exploit Targeting Major Web Servers

By

Calif

6d ago· 7 min readenNews
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Kettled twice. Extra chewy, extra trustworthy.

Score100TypenewsSentimentneutral

Summary

Codex has discovered and published a remote denial-of-service exploit called "HTTP/2 Bomb" that targets major web servers through their default HTTP/2 configurations. The attack chains two known techniques: a compression bomb exploiting HPACK (HTTP/2's header compression scheme) where one byte on the wire becomes a full header allocation on the server, repeated thousands of times per request, combined with a zero-byte flow-control window that prevents the server from freeing memory. The author notes the irony of having helped break HTTP header compression 14 years ago and reviewed the fix that became part of HTTP/2, yet still missing this attack vector.

Key quotes

· 4 pulled
The attack was discovered by Codex, which chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold.
The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request.
The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.
14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.
Snippet from the RSS feed
14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.

You might also wanna read

Proof-of-Concept Exploit Released for Critical NGINX Heap Buffer Overflow (CVE-2026-42945)

A proof-of-concept exploit for CVE-2026-42945, a critical heap buffer overflow vulnerability in NGINX's ngx_http_rewrite_module that has exi

github.com·27d ago

Addressing Aggressive Web Crawlers with a Valid HTML Zip Bomb

The article discusses the issue of aggressive web crawlers affecting websites and presents a solution in the form of a valid HTML zip bomb u

ache.one·10mo ago

Researcher Discovers Critical React2Shell RCE Vulnerability (CVE-2025-55182) Affecting Millions of Websites

A security researcher recounts discovering a critical remote code execution vulnerability (CVE-2025-55182, dubbed "React2Shell") in the Reac

lachlan.nz·1mo ago

React2Shell Vulnerability: Critical RCE Bug in React Server Components Flight Protocol

The article discusses React2Shell (CVE-2025-55182), a critical remote code execution vulnerability in React Server Components' Flight protoc

elenacross7.medium.com·6mo ago

Early Exploitation of React2Shell Vulnerability (CVE-2025-55182) Targets Critical Infrastructure

The article details early exploitation activity following the public disclosure of the critical React2Shell vulnerability (CVE-2025-55182).

blog.cloudflare.com·6mo ago

Understanding HTTP Caching: A Guide to RFC 9111 and Cache-Control Headers

This article provides a comprehensive guide to HTTP caching based on RFC 9111 (2022), explaining how the Cache-Control header works in HTTP

danburzo.ro·5mo ago