14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.
Thanks for fixing the issue so quickly — this is a win for Envoy users. We believe the traditional disclosure model is increasingly outdated in the era of AI-assisted vulnerability discovery, and we explain our rationale for disclosure in the post.
Checked if https://ramaproxy.org/ is vulnarable to it, but no, seems we are fine :) On all parts of it. Thank you for the published research btw!
Does CDN service provider like Cloudflare / AKAMAI stop the HTTP/2 bomb as they are terminated at edge point?
OP ignored responsible disclosure policy and released a 0-day for Envoy ecosystem. Envoy community was in process of releasing a patch for this problem: https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8
Thanks for fixing the issue so quickly — this is a win for Envoy users. We believe the traditional disclosure model is increasingly outdated in the era of AI-assisted vulnerability discovery, and we explain our rationale for disclosure in the post.
responsible disclosure?