Hi Lukas, On Wed, Jun 03, 2026 at 09:45:09AM +0200, Lukas Tribus wrote: > Hello, > > > FYI there is a new HTTP/2 (HPACK) attack against servers/proxies: > > https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
Yep I saw it this morning as well, thanks! > > HPACK Indexed Reference Bomb: seed the dynamic table > > with one header, then emit thousands of 1-byte indexed > > references to it. Each reference costs the attacker one wire > > byte and the server anywhere from ~70 bytes (nginx, IIS, > > Pingora) to ~4,000 bytes (Apache httpd, Envoy) of allocation. > > > > HTTP/2 Window Stall: advertise a zero-byte flow-control window > > so the server can never finish sending its response, then drip > > 1-byte WINDOW_UPDATE frames to keep resetting the send > > timeout, pinning every allocation in memory for as long as the > > server's timeout allows. > > > Haproxy is not mentioned in this article; I'm not sure if we are > affected or not. Indeed it's not. This is about unbounded header decompression. In our case the whole headers remain limited to tune.bufsize so we don't have this problem. Thanks for the heads up! Willy
