Security researchers have identified a hidden HTTP/2 bomb exploit that forces massive memory consumption on servers like Nginx and Apache. By chaining compression attacks with stream stalling, a single client can trigger a denial-of-service condition.