Security Audit of nghttp3 and ngtcp2

X41 performed a source code audit of nghttp3, a QUIC implementation, and ngtcp2, an implementation of HTTP/3, sponsored once again by the Open Source Technology Improvement Fund. The report is released now that the development team addressed the issues identified.

ngtcp2 implements QUIC, a network protocol aiming to improve the performance of connection-oriented web applications. On top of this, nghttp3 implements HTTP/3, which aims to improve latency and loading times compared to HTTP/2 and earlier. Part of nghttp3 is an implementation of QPACK, a compression format for HTTP fields that avoids head-of-line blocking by allowing correctness during out-of-order delivery.

Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-OSTIF-NG-2025-Audit-Report-Public.pdf
OSTIF Blogpost: https://ostif.org/nghttp3-ngtcp2-audits-complete/

Audit Results

X41 discovered no vulnerabilities during the audit, which highlights the strong security foundation of the audited repositories, underscores the effectiveness of the development practices in place, and the application’s inherent robustness. Nevertheless, X41 identified three issues without a direct security impact.

One of the identified informational notes pertains to checking for stateless reset tokens. This is performed among already-retired connections, whereas the specification (RFC 9000) requires endpoints not to do this. X41 considers the security impact negligible because retired connections are only maintained for a few round-trips, but, at minimum, will allow fingerprinting the implementation.

The implementation also contains a potential timing side channel that leaks the length of packet numbers. The code is written quite carefully and avoids major timing discrepancies, but X41 found one instance where a loop is dependent on the packet number length. This is not currently known to have a significant security or privacy impact.

Overall, the security posture of the audited systems appear to be on a good security level compared to systems of similar size and complexity, as well as other implementations of the here implemented standards