A newly discovered vulnerability dubbed ‘HTTP/2 Bomb’ allows attackers to remotely crash major web servers — including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora — without authentication. The flaw exploits default HTTP/2 configurations, meaning most deployments are vulnerable out of the box. Because it affects such a broad range of widely used infrastructure, the potential impact is significant across cloud and on-premises environments alike.

Architect’s Take: Audit your HTTP/2 configurations across all edge and origin servers immediately, and apply vendor patches or mitigations as they are released — prioritising internet-facing NGINX, Apache, IIS, and Envoy instances. In the interim, consider enforcing HTTP/2 connection and stream limits at your load balancer or WAF layer to reduce exposure.

Original advisory: New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare