{"id":8384,"date":"2026-06-04T16:44:47","date_gmt":"2026-06-04T16:44:47","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8384"},"modified":"2026-06-04T16:44:47","modified_gmt":"2026-06-04T16:44:47","slug":"http-2s-speed-abused-to-slow-webserver-performance-in-dos-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8384","title":{"rendered":"HTTP\/2\u2019s speed abused to slow webserver performance in DoS attack"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers are warning of an issue with the default HTTP\/2 configuration used by major web servers which reportedly survived more than a decade of human review before showing up in Codex-assisted analysis.<\/p>\n

A flaw in the handling of the HTTP\/2 protocol made a denial-of-service (DoS) attack possible on web servers including nginx, Apache HTTP server, Microsoft IIS, Envoy, and Cloudflare\u2019s Pingora, according to security consultancy Calif.<\/p>\n

HTTP\/2<\/a> was introduced in 2015 to increase the speed of HTTP by allowing multiple simultaneous connections, and is gradually being superceded by HTTP\/3<\/a>, which is built on the new QUIC encrypted transport protocol. The problem uncovered by Calif lies in how affected servers handle HTTP\/2 header compression and request processing, allowing an attacker to trigger disproportionate memory consumption.<\/p>\n

\u201cThe attack chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold,\u201d Calif CEO Thai Duong<\/a> said in a blog post, calling the technique HTTP\/2 Bomb<\/a>. A search of Shodan revealed 880,000+ websites<\/a> supporting HTTP\/2 and running one of these servers, although many of these websites use a Content Delivery Network (CDN<\/a>), which may add some complexity to the attack, he said.<\/p>\n

<\/a>Weaponizing a compression feature for DoS<\/h2>\n

The issue, tracked as CVE-2026-49975<\/a>, involves HPACK, the header compression mechanism built into HTTP\/2. Calif found that attackers can abuse the protocol\u2019s dynamic header table in a way that forces servers to repeatedly allocate memory far beyond what would normally be expected from the size of incoming requests.<\/p>\n

A relatively small amount of attacker-controlled traffic can trigger excessive memory allocations on the target server, Duong said.<\/p>\n

\u201cThe bomb targets HPACK, HTTP\/2\u2019s header compression scheme: One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request,\u201d he said. \u201cThe hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.\u201d<\/p>\n

This isn\u2019t the first time HTTP\/2 was flagged for allowing DoS attacks. In 2019, multiple<\/a> HTTP\/2 denial-of-service vulnerabilities disclosed by Netflix affected numerous server implementations and prompted emergency patches across the ecosystem.<\/p>\n

In October 2023, the protocol was disclosed to be prone<\/a> to massive DDoS attacks owing to its stream multiplexing capability.<\/p>\n

<\/a>Duong recalled in the post how in 2012 he contributed to the discovery and patching of a flaw in HPACK, that back then was exploited by a different attack, CRIME<\/a>. \u201cI was too fixated on fighting CRIME and missed the Bomb,\u201d he reflected.<\/p>\n

Calif reported the flaw to all affected projects. nginx and Apache HTTP Server moved quickly to block the attack path, while Envoy patched on June 3. Microsoft IIS and Cloudflare\u2019s Pingora had yet to release patches at the time of publication.<\/p>\n

Admins will need to obtain the fixed versions of nginx (v1.29.8+) or Apache (mod_http2 v2.0.41), through the normal update channels used for these products. Envoy issued patches<\/a> for versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1.<\/p>\n

For organizations without a patch available to them, Calif recommended disabling HTTP\/2 if possible, or \u201cfront the server with something that enforces a hard cap on header count per request.\u201d<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers are warning of an issue with the default HTTP\/2 configuration used by major web servers which reportedly survived more than a decade of human review before showing up in Codex-assisted analysis. A flaw in the handling of the HTTP\/2 protocol made a denial-of-service (DoS) attack possible on web servers including nginx, Apache HTTP […]<\/p>\n","protected":false},"author":0,"featured_media":8385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8384","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8384"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8384"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8384\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8385"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}