Security researchers are warning of an issue with the default HTTP/2 configuration used by major web servers which reportedly survived more than a decade of human review before showing up in Codex-assisted analysis.
A flaw in the handling of the HTTP/2 protocol made a denial-of-service (DoS) attack possible on web servers including nginx, Apache HTTP server, Microsoft IIS, Envoy, and Cloudflare’s Pingora, according to security consultancy Calif.
HTTP/2 was introduced in 2015 to increase the speed of HTTP by allowing multiple simultaneous connections, and is gradually being superceded by HTTP/3, which is built on the new QUIC encrypted transport protocol. The problem uncovered by Calif lies i...