New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
Summary
Researchers have discovered a new denial-of-service vulnerability, dubbed 'HTTP/2 Bomb,' that affects major web servers like NGINX, Apache, IIS, Envoy, and Cloudflare. The vulnerability exploits default HTTP/2 configurations and was found by OpenAI Codex.
IFF Assessment
This vulnerability allows for remote denial-of-service attacks, which directly harms the availability of web services.
Severity
The vulnerability allows for remote denial-of-service (impact on availability) and can be exploited without requiring user interaction or privileges (exploitability). The scope is limited to the affected server (unchanged).
Defender Context
Defenders need to be aware of this HTTP/2 vulnerability that can lead to DoS conditions. Organizations relying on affected web servers should monitor for official patches and consider implementing network-level mitigations to detect or block the specific exploit patterns.