New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining

The article reports a new "HTTP/2 Bomb" remote denial-of-service vulnerability affecting widely used web servers and infrastructures, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora, with the flaw present in default HTTP/2 configurations. According to the report, the issue was discovered using OpenAI Codex by chaining behaviors in these implementations, demonstrating that AI-assisted code analysis can surface systemic protocol-level weaknesses. From a CyberSE.AI perspective, this highlights AI supply chain risk: core HTTP/2 libraries and server stacks that AI agents or AI-backed APIs rely on may inherit exploitable DoS conditions, impacting availability and reliability of AI services. Organizations should incorporate HTTP/2 and core web stack vulnerabilities into their AI SBOM, harden and patch upstream web components that front AI endpoints, and treat AI-assisted vulnerability discovery as a reason to increase cadence of dependency review and coordinated disclosure processes.