HTTP/2 Bomb DoS in Apache HTTP Server mod_http2

This repository is a small standalone Python proof-of-concept for CVE-2026-49975, an HTTP/2 remote denial-of-service issue. It contains one executable code file (exploit-test.py), a README describing the vulnerability and usage, and a license. The exploit is not part of a larger framework. The main script manually implements enough of the HTTP/2 protocol to open a connection, send the HTTP/2 client preface, exchange SETTINGS, and transmit crafted HEADERS/CONTINUATION frames. Its core technique is to seed the HPACK dynamic table with a header entry and then reference that entry thousands of times using indexed references. According to the code and README, this causes vulnerable servers to allocate disproportionate memory per reference. The script also sets INITIAL_WINDOW_SIZE to zero and periodically sends tiny WINDOW_UPDATE frames so the server cannot fully send responses or release memory, extending the lifetime of the allocations. Capabilities include: targeting arbitrary host/port pairs; optional TLS or cleartext h2c; parallel attack threads; multiple streams per connection; configurable number of HPACK references; and two attack modes. The nginx mode uses an empty x-bomb header to trigger bookkeeping-heavy allocation with lower per-reference amplification, while the classic mode uses a large cookie value intended for Apache/Envoy-style amplification. The script estimates expected server RAM pressure and continuously reconnects to sustain the attack. Fingerprintable targets are mostly user-supplied rather than hardcoded. The exploit operates against a remote TCP service speaking HTTP/2, typically on ports 443 or 80. No hardcoded malicious callback infrastructure, C2, or exfiltration endpoints are present. Overall, this is an operational network DoS PoC designed to exhaust memory on vulnerable HTTP/2 server implementations rather than achieve code execution or persistence.

Repository contains a functional Python proof-of-concept for CVE-2026-49975 ('HTTP/2 Bomb'), plus two small Bash helper scripts and a Docker Compose lab definition for local testing against nginx and Apache. The main exploit file ('POC HTTP-2-Bomb') manually constructs HTTP/2 frames over raw sockets, optionally wrapped in TLS, and sends the HTTP/2 client preface followed by a SETTINGS frame that sets INITIAL_WINDOW_SIZE to 0. It then builds an HPACK-based header bomb using one literal header ('x-bomb') and thousands of indexed references, splits the payload across HEADERS and CONTINUATION frames, and keeps the connection alive indefinitely with minimal WINDOW_UPDATE and periodic PING frames. This structure indicates a remote DoS exploit intended to maximize server memory consumption while preventing the target from draining state. The Bash scripts are passive/quick checks for HTTP/2 support and server banner collection rather than exploitation. The Docker lab exposes nginx on localhost:8080 and Apache on localhost:8081 for reproducible testing. Overall, the repository’s purpose is to demonstrate and test a network-based HTTP/2 resource exhaustion attack against vulnerable web servers.