2 posts
A single HTTP/2 connection from a home laptop can pin tens of gigabytes of server RAM in seconds. How the AI-discovered HTTP/2 Bomb works and how to defend.
High-severity (CVSS 8.6) SSRF in the Next.js WebSocket upgrade handler lets unauthenticated attackers proxy GETs to internal services on port 80.