How did OpenAI's Codex find HTTP/2 Bomb?

OpenAI’s Codex helped uncover a server-stalling DoS

OpenAI’s Codex agent was involved in discovering a remote denial-of-service technique dubbed the “HTTP/2 Bomb,” which security researchers say can knock web servers offline by exhausting memory quickly.

The core claim is that an attacker can trigger a condition where server resources are stalled—specifically by exploiting HTTP/2 compression and flow-control behavior—leading to a rapid ramp-up in memory usage. The coverage says the exploit can “nuke over 30GB of RAM within seconds,” leaving major web servers vulnerable enough that they can’t respond quickly.

Why this matters is that DoS attacks are often framed as bandwidth or connection-count problems. This technique is more about protocol behavior and resource exhaustion, which can be harder for systems to mitigate with simple connection limits. If a vulnerability can trigger large memory consumption almost immediately, defenders need either protocol-level patches or very specific workload protections.

The reporting also frames the discovery as part of the broader trend of AI-assisted security work: instead of only generating code, an agent can help explore exploit chains or identify unusual failure modes in software logic.

For organizations, the immediate relevance is defensive: HTTP/2-enabled services may need to be reviewed for exposure, and teams that run web infrastructure should ensure they’re following relevant security guidance for affected server implementations.

In short, the discovery highlights two converging themes:

• New DoS research can emerge from protocol-edge cases, not just application bugs
• AI coding assistants are increasingly being used in security workflows, including finding exploits that can stress infrastructure at scale