The Hacker News

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

HTTP/2 Bomb exploits HPACK and flow control; a single client can hold 32GB memory in 20 seconds, causing server outages.
SecurityWeek

‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds

The default HTTP/2 configuration of major web servers is vulnerable to an attack chain combining a compression bomb and a Slowloris-style hold. Known denial-of-service (DoS) techniques can be chained ...

NGINX: DoS vulnerability is being attacked

Security vulnerabilities exist in NGINX Open Source and NGINX Plus from F5. One is already being exploited and leads to DoS conditions.