⚠️ Version Policy Note
As of January 2020, H2O no longer uses version tagging. The master branch is considered stable. Each commit is treated as a release.
| Year | Event |
|---|---|
| 2014 | H2O project initiated by Kazuho Oku at DeNA Co., Ltd. |
| 2015 | First stable releases (1.0 series) |
| 2016 | H2O 2.0 released with TLS 1.3 support |
| 2017 | H2O 2.2 series - performance improvements, HTTP/2 push |
| 2018 | HTTP/3 (QUIC) development begins |
| 2019 | H2O 2.3.0-beta2 released (August) - last tagged version |
| 2020 | Version tagging discontinued (January) |
| 2021 | HTTP/3 implementation matures |
| 2022 | Native QUIC support in production |
| 2023 | CVE-2023-41337, CVE-2023-44487 reported |
| 2024 | CVE-2024-25622, CVE-2024-45397 reported |
| 2025 | Debian package removed (May), CVE-2025-8671 reported |
| 2026 | Active development continues (January commits) |
H2O was created by Kazuho Oku (also known as @kazuho) at DeNA Co., Ltd., a Japanese technology company. The project was designed from the ground up to be:
| Version | Release Date | Key Features |
|---|---|---|
| 1.0.0 | 2015 | Initial stable release |
| 1.4.x | 2015 | Performance improvements |
| 1.7.x | 2016 | TLS 1.3 draft support |
| Version | Release Date | Key Features |
|---|---|---|
| 2.0.0 | 2016 | TLS 1.3 support, improved HTTP/2 |
| 2.1.0 | 2016 | Performance optimizations |
| 2.2.0 | 2017 | HTTP/2 server push, gzipped file serving |
| 2.2.2 | 2017 | OCSP stapling improvements |
| 2.2.3 | 2017 | Security fixes (DoS vulnerabilities) |
| 2.2.4 | 2017 | Buffer overflow fix, TLS 1.3 draft-26 |
| 2.2.5 | 2019 | CVE-2018-0608 fix |
| 2.2.6 | 2019 | HTTP/2 DoS fixes (CVE-2019-9512/9514/9515) |
| 2.3.0-beta1 | 2019 | Rack middleware, load balancing |
| 2.3.0-beta2 | Aug 2019 | Last tagged release |
In January 2020, the H2O maintainers announced that they would stop using version tagging. The rationale:
“We no longer tag versions. Users are advised to use the up-to-date commit of the master branch, which is always considered ready for public use.”
| Before 2020 | After 2020 |
|---|---|
| Semantic versioning (e.g., 2.2.6) | Master branch = stable |
| Periodic releases | Continuous deployment |
| Version-specific docs | Commit-based tracking |
| Release announcements | GitHub commits only |
H2O was one of the first web servers to implement HTTP/3 (QUIC):
| Year | Milestone |
|---|---|
| 2018 | Initial QUIC implementation begins |
| 2019 | Early QUIC testing in master branch |
| 2020 | Production-ready QUIC support |
| 2021 | RFC 9000 compliance |
| 2022 | Native HTTP/3 in stable builds |
| 2023-2025 | QUIC performance optimizations |
| Aspect | Status |
|---|---|
| Development | ✅ Active (commits January 2026) |
| Maintainer | Kazuho Oku + contributors |
| Repository | https://github.com/h2o/h2o |
| Stars | 11.4k+ |
| License | MIT |
| Security Contact | h2o-vuln@googlegroups.com |
| Distribution | Status | Notes |
|---|---|---|
| Debian | ❌ Removed (May 2025) | No maintainer, unpatched CVEs |
| Ubuntu | ⚠️ May be outdated | Check PPA status |
| RHEL 9 | ✅ OKey repository | Version 2.2.6 |
| Homebrew | ✅ Available | Tracks master branch |
| FreeBSD | ✅ Available | Port: www/h2o |
H2O introduced several features that influenced web server development:
| Year | CVE | Description |
|---|---|---|
| 2016 | CVE-2016-1133 | CRLF injection |
| 2016 | CVE-2016-4817 | HTTP/2 DoS |
| 2017 | CVE-2017-10868 | DoS vulnerability |
| 2017 | CVE-2017-10872 | DoS vulnerability |
| 2018 | CVE-2018-0608 | Buffer overflow |
| 2019 | CVE-2019-9512 | HTTP/2 ping flood |
| 2019 | CVE-2019-9514 | HTTP/2 reset flood |
| 2019 | CVE-2019-9515 | HTTP/2 settings flood |
| 2023 | CVE-2023-41337 | TLS session misdirection |
| 2023 | CVE-2023-44487 | HTTP/2 rapid reset |
| 2024 | CVE-2024-25622 | Header directive bug |
| 2024 | CVE-2024-45397 | TLS 1.3 + QUIC bypass |
| 2025 | CVE-2025-8671 | HTTP/2 stream reset DoS |
Any questions?
Feel free to contact us. Find all contact information on our contact page.