OpenAI's agent chained decade-old DoS attacks to crash web servers in seconds

Security

Codex drops an HTTP/2 Bomb

The next threat your server faces may have been helped along by a bot. OpenAI's Codex agent helped uncover a remote denial-of-service (DoS) exploit that can be launched from a single machine to render vulnerable web servers inaccessible in seconds, according to Calif security researchers.

The attack works on default HTTP/2 configurations of major web servers including nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. As of Thursday, Microsoft IIS and Cloudflare Pingora still don’t have a patch, according to the researchers, although Cloudflare disputes this finding.

“Cloudflare's existing architecture and DDoS mitigations automatically detect and protect against this attack, making customers resilient to this vulnerability,” a spokesperson told The Register. “No patch is needed.”

“We are aware and actively investigating appropriate mitigations to help keep customers protected," a Microsoft spokesperson told The Register.

Calif researcher Quang Luong discovered the exploit, named it HTTP/2 Bomb, and will present the full technical details of the attack at the Real World AI Security conference later this month. In the meantime, there are proof-of-concept exploit scripts on GitHub along with a warning from the AI red teaming security shop: “Please don't point these at infrastructure you don't own.”

In a Tuesday blog, Luong says Codex chained two existing DoS attack techniques that have been known for more than a decade - HPACK compression bomb and Slowloris-style hold - and warns that upwards of 880,000 websites supporting HTTP/2 and running one of the vulnerable web servers may be affected.

An HPACK bomb attack (also known as CVE-2016-6581) exploits the HTTP/2 header compression algorithm (HPACK) by sending thousands of tiny messages to the server, forcing it to rapidly allocate memory and ultimately crash.

Then the Slowloris DoS attack (CVE-2016-8740 and CVE-2016-1546) overwhelms the server by opening legitimate connections and maintaining them as long as possible. 

Combining the two exhausts the server’s memory and forces it offline.

“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds,” Luong wrote. “Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds.”

The Calif research team disclosed the issue to nginx in April, and the web server’s maintainers fixed it the next day in version 1.29.8, which imports the max_headers directive from freenginx.

Apache issued a fix (mod_http2 v2.0.41) the same day that Calif submitted its report, and assigned it CVE-2026-49975. 

“The fix commits above are public and disclose the vectors directly; any capable AI model can turn those diffs into a working exploit, which is exactly how we found that Microsoft IIS, Envoy, and Pingora are also vulnerable,” the threat hunting team wrote, adding that all three have been notified.

In a Wednesday update, Calif pointed to Envoy patches “that appear to mitigate this attack,” and notes that its researchers are still validating the fix to ensure it works.

For Microsoft IIS and Cloudflare Pingora, the security sleuths recommend disabling HTTP/2 if possible, or enforcing a cap on the number of HTTP headers a client can send in a single request to the server.

The fact that a coding agent - not a human - discovered this attack is notable, according to Calif. “Both halves have been public for a decade,” Luong wrote. “What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers.” ®

Updated at 2023 with statement from Microsoft.