The HTTP/2 HPACK amplification vulnerability allows attackers to exploit header compression to cause disproportionate memory consumption on HTTP/2 servers. This amplification can lead to resource exhaustion (OOM) conditions, impacting server availability. The research, published with lab verification, demonstrates this effect across multiple HTTP/2 server implementations. Detection involves monitoring for low wire-byte counts with high header counts and increasing worker memory usage without corresponding traffic spikes. Mitigations include upgrading to patched versions of nginx (≥1.29.8) and Apache httpd (mod_http2 ≥2.0.41), applying configuration limits on HTTP/2 headers, tightening timeouts, and emergency disabling of HTTP/2 if necessary. The research provides a benchmark harness for authorized defensive validation and patch verification. Fix status for IIS, Envoy, and Pingora remains unconfirmed.

Successful exploitation of this vulnerability can cause significant server memory amplification, leading to potential out-of-memory conditions and service degradation or denial of service. Lab results show amplification from approximately 0.19 MB to 8 GiB on Apache httpd and from ~200 MB to 8 GiB on nginx. This can affect server stability and availability under attack conditions. No known exploits in the wild have been reported at this time.

Fixes are available and should be applied: upgrade nginx to version 1.29.8 or later and Apache httpd mod_http2 to version 2.0.41 or later. Additionally, configure server directives to limit HTTP/2 headers (e.g., http2_max_headers in nginx), apply stream and connection caps, enforce tighter timeouts, and consider emergency HTTP/2 disablement if under attack. Use the provided authorized testing harness to verify that mitigations effectively prevent memory amplification. For IIS, Envoy, and Pingora, monitor vendor advisories for patch availability. No generic mitigations beyond these specific recommendations are advised.