Highlight

We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers, including:

nginx
Apache httpd
Microsoft IIS
Envoy
Cloudflare Pingora
The vulnerable behavior exists in each server's default HTTP/2 configuration.

The attack was discovered by Codex, which chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold.