Info Only: HTTP/2 Bomb (remote denial-of-service)

nu01 · June 3, 2026, 6:42am

FYI

CVE: n/a
Blog-Article: Codex Discovered a Hidden HTTP/2 Bomb [github.com]
Proof-of-Concept: HTTP/2 Bomb [github.com]
Affected Component(s): Webserver (Apache httpd 2.4.67, nginx 1.29.7, Microsoft IIS (Windows Server 2025), Cloudflare Pingora 0.8.0, Envoy 1.37.2)

sahsanu · June 3, 2026, 7:18am

@nu01 Thanks for sharing.

I just wanted to let you know that Hestia is not affected. The main Nginx instance is running version 1.30.2, and Apache2 does not have the HTTP/2 module enabled. The Nginx instance managing the Hestia Control Panel is also running Nginx 1.30.2, so it is not affected either.

nu01 · June 3, 2026, 7:20am

Yes, and hence I started with “FYI”.

sahsanu · June 3, 2026, 7:25am

Just wanted to make it clear that we are not affected.

pluto · June 4, 2026, 2:42am

Just thought I’d add that as the nginx version is not vulnerable, it will let us set the max_headers directive.
Default is 1000 (nginx -T | grep max_header) which is quite generous. I’d be tempted to set it lower. Can do this within http{} stanza in nginx.conf