Last year, the attack wasdemonstratedagainst Apache HTTPD with a 4000x amplification rate, and was resolved in Apache HTTP Server version 2.4.64 as CVE-2025-53020.The second part of the new exploit targets CVE-2016-8740 and CVE-2016-1546 (Slow Read), two Apache HTTPD flaws leading to DoS conditions via Continuation frames in an HTTP/2 request and via modified flow-control windows.These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations.“What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes.“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.Calif also identified a bypass for servers that cap the header-field count, andreleasedproof-of-concept (PoC) code to demonstrate the attack.The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
The second part of the new exploit targets CVE-2016-8740 and CVE-2016-1546 (Slow Read), two Apache HTTPD flaws leading to DoS conditions via Continuation frames in an HTTP/2 request and via modified flow-control windows.These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations.“What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes.“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.Calif also identified a bypass for servers that cap the header-field count, andreleasedproof-of-concept (PoC) code to demonstrate the attack.The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations.“What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes.“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.Calif also identified a bypass for servers that cap the header-field count, andreleasedproof-of-concept (PoC) code to demonstrate the attack.The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
“What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes.“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.Calif also identified a bypass for servers that cap the header-field count, andreleasedproof-of-concept (PoC) code to demonstrate the attack.The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.Calif also identified a bypass for servers that cap the header-field count, andreleasedproof-of-concept (PoC) code to demonstrate the attack.The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
Calif also identified a bypass for servers that cap the header-field count, andreleasedproof-of-concept (PoC) code to demonstrate the attack.The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
Related:Exploit Code Published for Critical Flowise RCE VulnerabilityRelated:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
Related:PoC Released for DirtyDecrypt Linux Kernel VulnerabilityRelated:PoC Code Published for Critical NGINX VulnerabilityRelated:BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
Source: SecurityWeek
