HTTP/2 BOMB vulnerability mitigation

aprelium-support

A vulnerability affecting most HTTP/2-capable Web server has been made public yesterday : https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb .

It takes advantage of two HTTP/2 mechanisms and allows a single request to consume large amounts of memory on the server while decoding HTTP headers. The huge memory allocations can even cause OOM errors (out of memory) and repeated denials of service.

Since proof of concepts are already circulating in the wild, we urge all our customers and users with Web-facing servers to disable HTTP/2 support temporarily until a patched version of Abyss Web Server is released.

To be on the safe side, please follow these instructions:

Open Abyss Web Server console
Select Server Configuration
Select Parameters
Press the Edit button in front of Advanced Parameters
Press the Edit button in front of HTTP/2 Parameters
Check Disable
Press OK three time until you get back to the Server Configuration screen
Press Restart to apply the change.

A patched version will be announced next week.

aprelium-support

After an audit of our HTTP/2-related source code, here are our findings:

Abyss Web Server is partially affected by the HTTP/2 BOMB vulnerability.
Abyss Web server is not subject to the catastrophic failures experienced with other Web server software.
There will be excess of memory usage for each BOMB request, but it won't degenerate in OOM (out of memory) crashes unless you're on a very restricted system with 1 GB RAM or less.
The excess of memory usage will be correctly reclaimed after the request is over.
Abyss Web Server won't crash with HTTP/2 BOMB proof-of-concept tool: it will be slow with larger memory consumption, but will revert to normality as soon as the BOMB attack stops.

However, Abyss Web Server's code audit has revealed other potential failures that a BOMB-class attack may trigger. So we'll be working on hardening the places where such issues may occur.

Disabling HTTP/2 is still highly recommended for now.

tfh

Any time-line on when we can expect an update?
Running a server with a lot of images is no fun with HTTP/1.1, especially with visitors from the other side of the world.

Also, did you test on a Windows platform as well? As you might remember, there is quite some difference in behaviour of your webserver on Windows compared to Linux. Especially when it comes down to memory usage, CPU usage and threads that end up hanging.

aprelium-support

tfh Any time-line on when we can expect an update?

The OpenSSL have announced a high severity vulnerability too and we're waiting for their fix due tomorrow. So we'll do our best to have the new version ready by the end of the week.

tfh Also, did you test on a Windows platform as well? As you might remember, there is quite some difference in behaviour of your webserver on Windows compared to Linux.

HTTP/2 BOMB affects code paths not in the specific platform code. It's targeting how HTTP headers got built when parsing a request.

SumGuy

Is Abyss server X1 affected by this bomb thing?

I don't see HTTP/2 parameters under Server Configuration - Parameters - Advanced Parameters.

aprelium-support

SumGuy Abyss Web Server X1 is also affected.

Which version are you using? We suspect you're with a very old version with no HTTP/2 support. That's why there are no such parameters under Server Configuration - Parameters - Advanced Parameters.

tfh

Any update?

aprelium-support

tfh The update is ready and will be released within 48 hours.

SumGuy

aprelium-support I'm using 2.11.8. If it doesn't support HTTP/2 then there's no need to take any action against this? Or does the vulnerability still exist?

rayleech

aprelium-support
I've tried the new version and haven't detected any problems so far. Thanks!

aprelium-support

SumGuy You are using an old version which predates HTTP/2 support. So there is no way your version is affected by BOMB.
But such an old version is affected by numerous shortcoming and vulnerabilities in the TLS/SSL support. You're also missing several new features and support for modern protocol.
So we strongly suggest upgrading tomorrow to a newer version of X1...

tfh

Running the new version: Thanks.

When will we get to see a new feature release? I has been like 5 years now and all we had are updates/fixes but no new features?

aprelium-support

tfh Running the new version: Thanks.

Thank you for your positive report.

A clarification to other readers: @tfh has access to our Beta release channel where we've published the preview of the new version earlier today. If feedback is fine from other users and customers, we will probably make it public within a few hours.

aprelium-support

tfh When will we get to see a new feature release?

We plan to discuss with our long time customers and users the list of features that should be prioritized.
We have not yet decided about the way to organize the exchange and gather their feedback.

aprelium-support

rayleech

Welcome on the new forum and thank you for your feedback.

aprelium-support

We've just officially launched Abyss Web Server 2.16.22 which hardens the software against this class of attacks:
https://forum.aprelium.com/d/653531-abyss-web-server-21622-is-ready

lpele

I noticed that abyss web server was using a lot of memory especially when there is a lot of traffic or attacks.

I recorded for example 12 GB on March 20 2026 or 14 GB on April 29 2025

I'm not sure it is linked to this issue (support team told me to change some settings to reduce memory usage) but after restart with the new version and waiting a few hours, Memory usage is just 93 Mb !

aprelium-support

lpele I recorded for example 12 GB on March 20 2026 or 14 GB on April 29 2025

This was probably bot traffic... We admit this kind of memory consumption is huge. But it is usually a symptom of a very large value for "Maximum Simultaneous Connections" parameter in "Server Parameters" coupled with lax values for timeouts and keep-alive requests.

Anyway, the new version should be more conservative regarding memory usage. It is better tuned to HTTP/2 traffic.