Die Open Source Programme nginx und Apache httpd sind bereits gepatcht, die Closed Source Programme von u.a. MicroSlop sind noch angreifbar.

Aber Open Source isr ja viel zu unsicher und eh nur Hobby Projekte. Nicht wahr?

Nur ein Client nötig HTTP/2 Bomb legt Webserver in Sekunden lahm
https://www.golem.de/news/nur-ein-client-noetig-http-2-bomb-legt-webserver-in-sekunden-lahm-2606-209396.html

#nginx #apachehttpd #MicrosoftIIS #http2bomb #opensource

New 'HTTP/2 Bomb' #DoS attack crashes web servers in under a minute

https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/

#cybersecurity #HTTP2Bomb

Codex Discovered a Hidden HTTP/2 Bomb

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

#http #http2 #http2bomb #apache #httpd #nginx #envoy #IIS #cve #cve_2026_49975

Patched version of #Apache's httpd fixing CVE-2026-49975 (#HTTP2Bomb) is in Debian Unstable. Coming to testing quickly I guess 🤔

mod_http2 patch is applied by Debian maintainers.

Nothing yet for stable

https://tracker.debian.org/news/1759645/accepted-apache2-2467-2-source-into-unstable/

Preliminary assessment: We consider Vinyl Cache safe against the attack vector named "HTTP/2 Bomb", because it does not allow the amplification method underlying it.
#http2 #http2bomb #vinyl_cache

https://vinyl-cache.org/lists/pipermail/vinyl-dev/2026-June/004936.html

Codex Discovered a Hidden HTTP/2 Bomb

14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.

💥 https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

#http2 #break #http2Bomb #compression #web #http #nginx #Apache #httpd #Microsoft #IIS #Envoy #Cloudflare #Pingora #Apachehttpd #MicrosoftIIS #CloudflarePingora #webserver #server

HTTP/2 Bomb Attack Disrupts Web Servers in Seconds

A home computer on a typical 100Mbps connection can cripple a vulnerable server in mere seconds using a new technique called the HTTP/2 Bomb, which cleverly combines two known weaknesses in HTTP/2 server configurations. This potent attack can be unleashed quickly, leaving servers inaccessible.

https://osintsights.com/http2-bomb-attack-disrupts-web-servers-in-seconds?utm_source=mastodon&utm_medium=social

#Http2Bomb #DenialOfService #Hpack #Slowloris #WebServers

HTTP/2 Bomb Vulnerability Targets Major Web Servers with Remote DoS Exploit

A newly discovered HTTP/2 Bomb vulnerability can be exploited to launch a remote Denial of Service (DoS) attack on major web servers, taking advantage of a weakness in the default HTTP/2 configuration. This flaw cleverly combines a compression bomb and a Slowloris-style hold to target HPACK, HTTP/2's header-compression…

https://osintsights.com/http2-bomb-vulnerability-targets-major-web-servers-with-remote-dos-exploit?utm_source=mastodon&utm_medium=social

#Http2Bomb #DenialOfService #RemoteExploit #Vulnerability #WebServers