The Open Source Technology Improvement Fund is proud to share the results of our security audit of GNU libmicrohttpd2. GNU libmicrohttpd2 is an open source library that “embeds a HTTP or HTTPS daemon into host applications.”* With the help of ADA Logics and the Sovereign Tech Agency, this project has improved its resiliency and health and set itself up for long-term security payoffs.
Audit Process:
This work was undertaken at the end of summer 2025, in collaboration between the audit team at ADA Logics and the maintainers of libmicrohttpd2. Three main objectives were planned with this work: first, create a threat model and outline an attack surface to help the audit team with the rest of the engagement, second, perform manual code auditing and review, and third, to create and establish a fuzzing suite to expand and extend testing coverage. As a result of this work, 9 fuzzers were designed and integrated onto the project, as well as being uploaded to OSS-Fuzz for fuzz testing management.
Audit Results:
- 5 Findings with Security Impact (all have been fixed)
- 1 High, 1 Medium, 3 Low
- 2 Informational Findings
- Fuzz Testing Suite
- 9 custom fuzzers integrated
- OSS-Fuzz integration
- 35% code coverage reached
- Recommendations for Future Work
In addition to the code review and fuzzing by Ada Logics, cryptographer Dr. Jean-Philippe Aumasson did a review of the underlying cryptography of libmicrohttpd2.
This review was quick and informal, and did not result in a report to publish, but there were a number of discussions with the maintainers and JP about various cryptography and security features and how they are implemented, leading to some fixes and long-term changes. Some of the findings were intentional design-level decisions made by the maintainers to keep the widest possible support for all the environments that MHD2 must support, and some were to conform with RFCs.
- Dropped plans to implement an internal fallback entropy source based on a xoshiro256++ PRNG seeded with whatever entropy is available. The recommendation was either to panic/abort/fail or to create a fallback source using AES_CTR or CHACHA20.
- Renaming some functions with *_INSECURE or *_RECOMMENDED to better inform and guide users of best practices.
- A fix for a bug that caused extra rounds of hashing that were unnecessary (a performance improvement, not a security fix).
- Adding an option to MHD2 that the application must explicitly set to enable MD5-compatibility. (it can still be explicitly enabled for RFC compliance and legacy support)
- Specific checks were made for some custom, optimized hashing algorithms that are implemented in MHD2 and found to be sound.
This informal collaborative review proved very valuable to the project maintainers and helped give some expert opinions on potential issues and remediation.
The audit reports emphasizes that the software is well-written, and the recommendations for future efforts are holistic. The project maintainers, led by Christian Grothoff, were incredibly responsive and helpful participants in this engagement, and resolved all of the report findings before publication.
GNU libmicrohttpd2 will be the next evolution of the widely used GNU libmicrohttpd. The new version is currently undergoing active development, and has not yet reached a stable release stage. For further updates, subscribe to the info-gnu list.
Thank you to the individuals and groups that made this engagement possible:
- GNU libmicrohttpd2 maintainers and community, especially: Evgeny Grin, Christian Grothoff
- ADA Logics: David Korczynski, Adam Korczynski, and Arthur Chan
- Jean-Phillippe Aumasson
- Sovereign Tech Agency
You can read the Audit Report HERE*
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, or would like to participate, email [email protected].
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups