HTTP 2 Bomb DoS Schwachstelle Image © CalifHTTP 2 Bomb DoS Schwachstelle (Image © Calif)

The vulnerability is widespread and affects software from vendors that together hold more than 80 percent of the market. Identified affected systems include Nginx, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora, especially those using the default configuration of HTTP/2.

The attack targets the HPack mechanism (CVE-2016-6581) used for header compression in the HTTP/2 protocol. In normal operation, HPack reduces bandwidth by maintaining a dynamic table of the most recently used headers. An attacker can exploit this by sending a single byte that references a large header already stored in the table. This forces the server to repeatedly expand this byte into a full header assignment, creating a massive amplification effect in the server's memory.

To ensure that the memory remains full, the attacker employs a zero-byte flow control window in combination with repeated 1-byte window update frames. This technical maneuver prevents the server from successfully transmitting the response, so the extended data is held in the memory buffer as long as the connection remains open.

The tests carried out by the Calif researchers showed that the different platforms are vulnerable to varying degrees. Envoy had the highest vulnerability with a data expansion ratio of 5,700:1, which allowed an attacker to fill 32 GB of memory in about 10 seconds. Apache HTTPD followed with a ratio of 4,000:1. Other servers had lower but still critical ratios: Nginx at 70:1, Microsoft IIS at 68:1 and Cloudflare Pingora at 62:1. In the case of Nginx, the same 32 GB of memory could be used up in about 45 seconds.

The reactions of the software providers varied. Nginx, Apache HTTPD and Envoy have already released security updates to fix the vulnerability. However, there are still no patches for Microsoft IIS and Cloudflare Pingora.

Administrators using unpatched software are advised to either disable HTTP/2 completely or use a front-end system that limits the maximum number of headers allowed per request. The researchers found that the underlying flaws have existed for nearly a decade, but have only recently been consolidated into this specific attack vector through AI-driven source code analysis.