The Open Source Technology Improvement Fund is proud to share the results of our security audits of nghttp3 and ngtcp2. Ngtcp2 is an open source project that implements the QUIC network protocol, while nghttp3 implements HTTP/3 to help improve the speed and efficacy issues of HTTP/2. With the help of X41 D-Sec and the Sovereign Tech Agency, these projects underwent source code audits to help improve their health and security.
Audit Process:
This engagement was performed in February and March of 2025, with the goal of identifying high-level logic bugs in HTTP over QUIC and vulnerabilities typical in projects written in C/C++. Using dynamic and static code analysis with CodeQL and semgrep, the audit team performed a good review of the aspects in scope, including manual review of 8 components related to QUIC and the cryptographic primitives for key agreement and update. The IETF Standard Track documentation was utilized as a reference and basic threat model for the auditors during this work.
Audit Results:
- 3 Informational Findings
- All findings have been resolved by the maintainer
- AFL++ fuzz harnesses for 4 functions
- Recommendations for further testing
The three reported findings were all in ngtcp2. None of the three findings had direct security impact, and are not considered vulnerabilities. Based on this engagement, these two projects exhibit a healthy security level considering the weaknesses related to the C/C++ languages and involvement with web applications. OSTIF expresses our gratitude to Tatsuhiro Tsujikawa, maintainer of both projects, for his involvement and participation in this security work.
Thank you to the individuals and groups that made this engagement possible:
- Nghttp3 andngtcp2 projects maintainer and community, especially Tatsuhiro Tsujikawa
- X41 D-Sec: C. Mayr, D. Gstir, H. Mösl-Canaval, L. Kofler, Antonela Conti, Markus Vervier, and Eric Sesterhenn
- Sovereign Tech Agency
You can read the Audit Report HERE
You can read X41 D-Sec’s Blog HERE
OSTIF is celebrating our 10 year anniversary this May! Join us for an upcoming meetup talking about our lessons, gaffes, and future plans by following our meetup calendar https://lu.ma/ostif-meetups