Summary
NPM 2.15.1 bundles OpenResty 1.29.2.5 which is vulnerable to CVE-2026-49975 (HTTP/2 Bomb).
Details
A remotely exploitable DoS vulnerability was publicly disclosed on June 3, 2026.
An unauthenticated attacker on a 100Mbps connection can exhaust server memory in seconds
by combining HPACK indexed reference amplification with an HTTP/2 Window Stall.
The fix for nginx shipped in version 1.29.8 via the new max_headers directive.
OpenResty needs to update to a version based on nginx 1.29.8+ for this to be resolved in NPM.
References
Current workaround
Setting mem_limit on the Docker container to limit blast radius until a proper fix is available.
http2 off; in Advanced config causes 404 errors due to conflicts with NPM-generated config.
Request
Please update the bundled OpenResty to a version based on nginx 1.29.8+ as soon as it is available upstream.
Summary
NPM 2.15.1 bundles OpenResty 1.29.2.5 which is vulnerable to CVE-2026-49975 (HTTP/2 Bomb).
Details
A remotely exploitable DoS vulnerability was publicly disclosed on June 3, 2026.
An unauthenticated attacker on a 100Mbps connection can exhaust server memory in seconds
by combining HPACK indexed reference amplification with an HTTP/2 Window Stall.
The fix for nginx shipped in version 1.29.8 via the new
max_headersdirective.OpenResty needs to update to a version based on nginx 1.29.8+ for this to be resolved in NPM.
References
Current workaround
Setting
mem_limiton the Docker container to limit blast radius until a proper fix is available.http2 off;in Advanced config causes 404 errors due to conflicts with NPM-generated config.Request
Please update the bundled OpenResty to a version based on nginx 1.29.8+ as soon as it is available upstream.