AI-Assisted Researchers Uncover ‘HTTP/2 Bomb’ Attack That Can Cripple Major Web Servers in Seconds

A newly disclosed denial-of-service attack is raising concerns across the cybersecurity community after researchers demonstrated how a single machine can overwhelm enterprise web servers and consume tens of gigabytes of memory within seconds.

The attack, dubbed HTTP/2 Bomb, targets implementations of the HTTP/2 protocol used by some of the world's most widely deployed web infrastructure platforms, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare's Pingora.

What makes the technique notable is not the discovery of a new protocol flaw, but rather the way existing attack methods were combined into a highly effective resource exhaustion campaign. Researchers at offensive security firm Calif said the attack was identified with assistance from OpenAI's Codex software agent, highlighting how AI-powered research tools are increasingly helping security teams uncover unexpected attack paths.

According to Calif's findings, the attack merges two established HTTP/2 abuse techniques. One generates disproportionate memory allocation through HPACK header compression behavior, while the other prevents those resources from being released by exploiting HTTP/2 flow-control mechanisms. Together, the methods create a powerful amplification effect that can rapidly consume server memory and render services unavailable.

“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds,” the researchers said.

The attack exploits HPACK, the compression system used by HTTP/2 to reduce header transmission overhead. By repeatedly referencing entries stored in a server's dynamic compression table, attackers can trigger significant memory allocations while transmitting very little data. Researchers observed amplification ratios reaching thousands of bytes of server-side memory consumption for every byte sent by an attacker.

The second phase of the attack is what transforms the memory spike into a sustained denial-of-service condition. By manipulating HTTP/2 flow-control settings, attackers can effectively stall server responses and prevent allocated resources from being reclaimed. As connections remain open, memory usage continues to accumulate until systems become unstable or crash.

In testing conducted by Calif, several major server platforms experienced rapid memory exhaustion. Envoy depleted 32 GB of RAM in approximately 10 seconds, Apache HTTP Server reached the same threshold in under 20 seconds, while NGINX and Microsoft IIS exhausted available memory within roughly 45 seconds.

The findings illustrate a broader challenge facing security teams: many defensive controls are designed to stop known attack techniques in isolation. When those techniques are chained together, traditional safeguards may no longer provide adequate protection.

Mayank Kumar, Founding AI Engineer at DeepTempo, believes the larger story is how the attack was discovered.

"The detail that matters in the HTTP/2 Bomb isn't necessarily memory amplification, it's how it surfaced. An AI agent, working under researcher guidance, found a technique that chains two long-known HTTP/2 methods no one had bothered to combine. Every defense it defeats is a static limit - decoded header size caps, header count restrictions. They hold each technique in isolation and collapse against combinations, because every individual byte looks legitimate. Signatures fail. Now flip the script - an attacker guiding an agent to assemble novel attacks from known parts faster than anyone can patch. That's the scary version, and it's untenable."

Kumar argues that the security industry is approaching a turning point where AI-assisted attackers can rapidly discover attack chains that bypass rule-based protections.

"Untenable for static defenses, anyway. They enumerate, catching what's already been seen and described, so an attack assembled on demand from legitimate-looking parts has nothing to match against until after it has run. What doesn't change is the behavior: memory allocated and never released, connections held open with nothing flowing, consumption that doesn't fit the request. That signal doesn't need a prior sighting. So detection has to move, from matching known patterns to modeling what's normal and flagging what breaks it, no matter how the attack was assembled, in isolation or with live agents in the loop. Attackers already put agents in the loop. Defenders can't stay manual - you don't out-write automated discovery, you out-adapt it."

Security experts note that exposure varies significantly by deployment architecture. Organizations that terminate traffic behind content delivery networks, reverse proxies, or web application firewalls may be less susceptible if those systems enforce strict header limits before requests reach backend infrastructure. Some environments may also be protected by custom HTTP/2 restrictions or by disabling the protocol entirely.

Mitigations are already becoming available. NGINX has introduced protections through a new header-limiting capability in version 1.29.8, while Apache addressed the issue in mod_http2 2.0.41 and assigned the vulnerability CVE-2026-49975. At publication time, fixes had not yet been released for Microsoft IIS, Envoy, or Pingora.

For organizations running affected platforms, researchers recommend evaluating HTTP/2 exposure, implementing strict header-count controls through upstream proxies, and monitoring for abnormal memory consumption patterns that may indicate exploitation attempts.

The disclosure arrives as enterprises increasingly rely on AI-assisted development and security tools. While the discovery demonstrates the potential benefits of AI-powered research, it also underscores a growing reality for defenders: future attacks may emerge not from entirely new vulnerabilities, but from intelligent systems rapidly discovering dangerous combinations of flaws that have existed for years.