‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds

The default HTTP/2 configuration of major web servers is vulnerable to an attack chain combining a compression bomb and a Slowloris-style hold. The post ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds appeared first on SecurityWeek .

SecurityWeek reports that researchers at Calif used OpenAI’s Codex to automatically chain two *existing* HTTP/2 denial-of-service techniques (an HPACK compression bomb and a Slowloris-style flow-control hold) into a new, highly effective 'HTTP/2 Bomb' DoS exploit affecting default configurations of major web servers such as NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.[1][2] The attack can be launched from a single home machine and rapidly exhaust tens of gigabytes of RAM on vulnerable servers running HTTP/2 in default settings, with some vendor patches already available and others still pending.[1][2][3] From a CyberSE.AI perspective, this illustrates a concrete AI supply chain risk: AI coding and security-assistance tools (here, Codex) are now powerful enough to discover and weaponize exploit chains against widely deployed infrastructure. Organizations integrating AI-assisted development or offensive testing into their pipelines need controls to track how AI-generated code and findings are used, ensure they are applied for defensive hardening rather than operationalized as ungoverned exploit kits, and verify that web and API frontends exposed to AI-powere