According to an article from ADSL Zone [ES], the HTTP/2 protocol has severe security flaws that put up to 85 million sites at risk.
I must admit that I didn’t see this coming given that following extensive patches in the standard HTTP protocol you’d expect the next generation one to be much more secure.
Fortunately I only have one site running HTTP/2 so I won’t worry too much about it for the time being.
However the same security researchers that discovered these vulnerabilities mentioned the fact that some of them are flaws that were already existing and exploited in HTTP/1.x so we’re talking about bad code inheritance.
Most of these vulnerabilities are DDoS related so their success rate also depends on the security layers that are implemented outside the server and in between the server and the network edge.