Bottom line: HTTP/2 default configurations in NGINX, Apache, IIS, Envoy, and Cloudflare Pingora enable remote denial-of-service attacks.
Security researchers have identified a remote DoS vulnerability in the default HTTP/2 configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The flaw, dubbed HTTP/2 Bomb, affects critical internet infrastructure and requires immediate attention from infrastructure operators.
The vulnerability exists in the default settings of the HTTP/2 implementation of several market-leading web servers. NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora are affected—together accounting for a large share of globally deployed web server infrastructure. The flaw enables attackers to conduct remote denial-of-service attacks.
The vulnerability was discovered by security researchers and catalogued under the name HTTP/2 Bomb. The weakness lies in the respective default configurations of HTTP/2 support—not in individual custom setups. This means that countless installations are at risk without any additional action by the operator.
For CISOs, this demands prioritization of patching and configuration hardening. All systems using HTTP/2 should be checked for available security updates from vendors. In parallel, web application firewall rules and rate-limiting strategies should be evaluated to fundamentally complicate DoS attacks. At the same time, compliance with the NIS2 Directive must be considered, which requires that critical security vulnerabilities in operator-managed assets be remediated promptly.
Source: thehackernews.com · Published 3 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.