HTTP/2 Bomb Vulnerability Checker

CVE-2026-49975 CVSS 9.8 Critical

Non-intrusive scanner. Checks TLS ALPN negotiation for HTTP/2 support, reads the Server header, analyses CDN/proxy headers, and fingerprints HTTP/2 SETTINGS frames to identify software and version. No exploit code is sent.

+ Bulk check multiple URLs

Passive detection only: TLS handshake + HEAD request. Identifies server software from response headers, CDN/proxy from Via/X-Cache/X-Powered-By, and HTTP/2 implementation from SETTINGS frame analysis. No HPACK manipulation or exploit payloads.

Limitations & caveats

What this tool can reliably detect

Whether HTTP/2 is enabled (via TLS ALPN negotiation)
Server software and version when exposed in the Server header
nginx version below/above the patched 1.29.8
Microsoft IIS with HTTP/2 (no patch exists)
CDN/proxy layer (Cloudflare, AWS CloudFront, Akamai, Fastly, Heroku, Vercel, Netlify)
HTTP/3 support (via Alt-Svc header)
HTTP/2 SETTINGS frame fingerprint (helps identify hidden servers)

What this tool cannot detect (blind spots)

Hidden server headers — many servers strip the Server header. SETTINGS fingerprinting may help but is not definitive.
CDN masking — if behind a CDN, you see the CDN, not the origin. Now detected and flagged separately.
Apache mod_http2 version — fix is in mod_http2 v2.0.41, not exposed in headers. Always shows "Potentially Vulnerable".
Envoy version — not exposed in headers. Patched versions: 1.35.11, 1.36.7, 1.37.3, 1.38.1+.
HTTP/2 cleartext (h2c) — rare but possible, not checked.
Backend services — only the front-facing server is scanned, not internal microservices.

Possible false positives

Cloudflare — may have patched silently without public advisory.
Envoy — flagged as potentially vulnerable even if patched (version not exposed).
Apache — flagged even if mod_http2 is already updated.

Possible false negatives

Server header stripped — vulnerable server hidden behind a blank header.
CDN terminates HTTP/2 — origin could be vulnerable on internal traffic.
Load balancer — you see the LB, not the backend servers.

Servers not yet tested by researchers

Caddy, HAProxy, Traefik, LiteSpeed, Kestrel (ASP.NET), Jetty — flagged as "Not Tested" if detected.

Bottom line

VULNERABLE / High — act on it.
POTENTIALLY VULNERABLE / Medium — investigate with the server team.
CDN DETECTED — CDN hides the origin. Check with provider + verify origin directly.
NOT TESTED — server software wasn't in the original research. Monitor advisories.
NOT VULNERABLE / High — reliable, HTTP/2 confirmed off.
UNKNOWN — needs manual verification.
SITE NOT FOUND — could not connect.