kb: technical
kb: security
Situation
CVE-2026-49975 vulnerability referred to as "HTTP/2 Bomb" was discovered in multiple web server implementations including Apache httpd and nginx.
Impact
Remote unauthenticated attackers can exploit this flaw to cause a denial-of-service condition by exhausting server memory, leading to web server crash and service unavailability.
Call to action
NGINX provides native protection by utilizing the max_headers directive (imported from freenginx), which enforces a hard cap on the number of headers per request.
This fix was implemented in NGINX 1.29.8 or later, where this directive is natively integrated.
Plesk ships NGINX 1.30.2
Comments
Please sign in to leave a comment.