OSTIF is proud to share the results of our security audit of cURL HTTP/3. cURL is an open source command line tool and library, the most widely used HTTP client software in the world. This engagement was for the new components of HTTP/3 in cURL. With the help of Trail of Bits and the Sovereign Tech Fund, this newer branch of cURL (as of December 2023) will function more securely for users sending HTTP over networks. 

Audit Process:

Trail of Bits performed fuzzing coverage analysis and a codebase maturity evaluation for this audit of the HTTP/3 component. This work was achieved via static and dynamic testing of the codebase with automated and manual processes. The scope of this engagement was limited to new components added to support HTTP/3 in cURL. What this means is that libraries used for lower-level HTTP/3 operations were excluded due to the very specific and limited scope. While the low-level libraries ngtcp2 and nghttp3 were involved in the fuzz testing of HTTP/3 code paths, they were not the intention or focus of the audit. 

Audit Results:

  • 2 informational findings related to code configuration
  • Improved existing fuzz tests
  • Wrote and contributed additional fuzz tests to increase fuzzing coverage
  • Explicit fuzzing and consequential security recommendations

Security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. This audit was a part of the STF’s Bug Resilience Program, which aims to improve the security of open source infrastructure through contributions to FOSS projects, a bug and fix bounty program, and code audit program. 

Thank you to the following individuals and groups that made this engagement possible:

  • cURL– Daniel Stenberg and the cURL maintainers and community
  • Trail of Bits– Vasco Franco, Emilio López, Spencer Michaels, Anders Helsing, and Jeff Braswell
  • Sovereign Tech Fund– Tara Tarakiyee, Adriana Groh, Fiona Krakenbürger, Paul Sharratt, and Powen Shiah

You can read the Audit Report HERE

You can read Daniel Stenberg’s Blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this pivotal work, contact [email protected].