[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"focus:new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudf-mpzicxvf":3},{"item":4},{"id":5,"title":6,"slug":7,"summary":8,"severity":9,"category":10,"cve_ids":11,"affected_products":12,"action_required":18,"article_ids":19,"ioc_summary":21,"source_urls":22,"status":24,"expires_at":25,"created_at":26,"updated_at":27,"articles":28},"60b4c788-80cd-437c-ac99-82716b3be710","New HTTP\u002F2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare","new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudf-mpzicxvf","HTTP\u002F2 Bomb is a remote DoS vulnerability affecting NGINX, Apache HTTPD, IIS, Envoy, and Cloudflare Pingora. Attackers can exhaust server memory (32GB in seconds) by sending crafted HTTP\u002F2 requests that exploit HPACK compression and flow-control mechanisms. Unpatched servers are at immediate risk of service disruption from a single attacker.","critical","advisory",[],[13,14,15,16,17],"NGINX","Apache HTTPD","Microsoft IIS","Envoy","Cloudflare Pingora","Immediately patch NGINX to v1.29.8+ and Apache HTTPD mod_http2 to v2.0.41+. For IIS, Envoy, and Cloudflare Pingora: implement rate limiting on HTTP\u002F2 connections and monitor for sudden memory spikes. If patching is delayed, consider temporarily disabling HTTP\u002F2 on exposed services.",[20],"c133cb15-d9bd-4139-a219-73b512ce5829",null,[23],"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-http2-bomb-vulnerability-allows.html","active","2026-06-06T13:05:18.882+00:00","2026-06-04T13:05:21.601321+00:00","2026-06-04T13:05:26.146326+00:00",[29],{"id":20,"title":6,"url":23}]