Security firm Calif disclosed a remote denial-of-service vulnerability called HTTP/2 Bomb. Researchers used OpenAI Codex to discover the exploit. The vulnerability chains HPACK compression bombs with Slowloris-style resource holding.
The exploit targets Microsoft IIS, Nginx, Apache HTTPD, and Cloudflare Pingora. A single attacker can trigger the rapid system failure. The vulnerability exhausts server memory to cause crashes within seconds.
F5-owned Nginx and Apache issued patches for the flaw. Microsoft IIS, Envoy, and Cloudflare Pingora remained unpatched at the time of the announcement. This discovery highlights the potential for AI tools to identify complex infrastructure vulnerabilities.