OpenAI's agent chained decade-old DoS attacks to crash web servers in seconds

## Executive summary A security researcher demonstrated an "HTTP/2 Bomb" DoS that composes a decade-old HPACK header-compression bomb with a Slowloris-style connection hold to quickly exhaust memory and crash major HTTP/2-capable servers (nginx, Apache, Envoy, Microsoft IIS, Cloudflare Pingora). Proof-of-concept exploits exist, some vendors have patched (nginx, Apache, Envoy mitigations reported) while others were still unpatched at disclosure; recommended mitigations include disabling HTTP/2 or capping header counts until fixes are applied.