Alerts and Advisories

Advisory: HTTP/2

Created:  09 Aug 2016
Updated:  09 Aug 2016

Originally published by CERT-UK (now a part of the National Cyber Security Centre)

Executive summary

HTTP/2 is a faster and more technically advanced version of the current HTTP 1.1 and is being widely adopted following its approval in February 2015. It is already supported by major browsers – Chrome, Firefox, IE11, Edge, Safari, and Opera – and is thought to be used by about one in ten websites.

Four vulnerabilities rated as severe have been discovered in this new version, but fixes have already been made available through a coordinated approach between the research firm and the affected vendors, including Microsoft, Apache, Nginx, Jetty and nghttp to prevent these vulnerabilities from being exploited.

What is it?

HTTP/2 (originally named HTTP/2.0) is the first major revision of HTTP, the original Hypertext Transfer Protocol network protocol used for distributed, collaborative, hypermedia information systems. Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text; HTTP is the protocol to exchange or transfer hypertext. The HTTP/2 RFC was published in 2015 and is now supported by major web servers.

Which products are affected?

These vulnerabilities could potentially affect any server or service implementing or terminating HTTP/2, including but not limited to: IIS, Apache, NGINX, content delivery networks and load balancers.

What could happen if the vulnerabilities were exploited?

The attack vectors reportedly discovered include:

Slow read (CVE-2016-1546): The attack calls on a malicious client to read responses very slowly and despite slow read attacks being well-known in the HTTP ecosystem, they are still effective in the latest evolution of the web protocol. However, on this occasion they take place in the application layer of HTTP/2 implementations. Variants of this vulnerability have been discovered across Apache, IIS, Jetty, NGINX, and nghttp2.

HPACK bomb (CVE-2016-1544), (CVE-2016-2525): Researchers say this attack resembles a “zip bomb”, a malicious archive file designed to crash the program or system reading it and often used to disable antivirus software. By exploiting a vulnerability in the compression layer of HTTP/2 requests can be sent which, once decompressed, increase hugely in size, causing server memory resources to be consumed and the server to crash or become unavailable.

Dependency Cycle attack: HTTP/2 introduced a new flow control mechanism designed to optimise networks. However, the mechanism can be exploited should an attacker craft requests which create a dependency cycle – creating an infinite loop which cannot be escaped when the flow control system attempts to process these requests.

Stream Multiplexing Abuse (CVE-2016-0150): This emerges when attackers use security flaws present in how servers implement stream multiplexing functionality. These bugs can crash servers, resulting in a denial of service to legitimate users.

What can I do?

Fixes should have already been made available for applicable servers and browsers. Contact individual vendors/suppliers for more information.

Where can I find more information?

The original research from the discoverers, with full technical breakdown of the four different flaws, is available at

Was this information helpful?

We need your feedback to improve this content.

Yes No