⚠️ CRITICAL: Debian Package Vulnerabilities
H2O packages in Debian Bookworm have 5 unpatched CVEs (no DSA issued, postponed):
- CVE-2025-8671 (HTTP/2 DoS)
- CVE-2024-45397 (TLS 1.3 + QUIC bypass)
- CVE-2024-25622 (Header directive bug)
- CVE-2023-44487 (HTTP/2 rapid reset)
- CVE-2023-41337 (TLS session misdirection)
Recommendation: Build from source for security patches.
⚠️ Version Policy
H2O no longer uses version tagging since January 2020. The master branch is considered stable. Build from source for latest security fixes.
| Aspect | Status | Notes |
|---|---|---|
| Project Maintenance | ✅ Active | Recent commits (January 2026) |
| Security Response | ✅ Responsive | Security contact: h2o-vuln@googlegroups.com |
| Debian Package | ❌ Vulnerable | 5 unpatched CVEs, removed from testing |
| Source Build | ✅ Secure | Latest patches from master branch |
| HTTP/3 Security | ⚠️ Emerging | QUIC security still being researched |
| CVE ID | Severity | Description | Affected | Status |
|---|---|---|---|---|
| CVE-2025-8671 | High | Client-triggered server-sent stream resets (DoS) | HTTP/2 | ❌ Unpatched in Debian |
| CVE-2024-45397 | High | TLS 1.3 early data + TCP Fast Open/QUIC 0-RTT bypass | TLS/QUIC | ❌ Unpatched in Debian |
| CVE-2024-25622 | Medium | Header directive scope inheritance bug | HTTP/1, HTTP/2, HTTP/3 | ❌ Unpatched in Debian |
| CVE-2023-44487 | High | HTTP/2 rapid reset attack (similar to CVE-2023-44487 in HTTP/2 spec) | HTTP/2 | ❌ Unpatched in Debian |
| CVE-2023-41337 | High | TLS session misdirection - malicious backend can misdirect HTTPS requests | TLS | ❌ Unpatched in Debian |
| CVE ID | Description | Fixed In |
|---|---|---|
| CVE-2024-45403 | HTTP/1.x, HTTP/2, HTTP/3 vulnerability | Master branch |
| CVE-2023-50247 | HTTP/1.x, HTTP/2, HTTP/3 vulnerability | Master branch |
| CVE-2023-30847 | Reverse proxy issue | 2.3.0-beta2+ |
| CVE-2021-43848 | Pre-8c0eca3 commit vulnerability | Post-8c0eca3 |
| CVE-2019-9515 | HTTP/2 settings flood | 2.2.4+ |
| CVE-2019-9514 | HTTP/2 reset flood | 2.2.4+ |
| CVE-2019-9512 | HTTP/2 ping flood | 2.2.4+ |
| CVE-2018-0608 | Buffer overflow | 2.2.4+ |
Due to unpatched CVEs in Debian packages, always build from source for production:
git clone --recurse-submodules https://github.com/h2o/h2o.git
cd h2o
mkdir -p build && cd build
cmake ..
make
sudo make install
listen:
port: 443
ssl:
certificate-file: /etc/ssl/certs/example.com.crt
key-file: /etc/ssl/private/example.com.key
dh-file: /etc/ssl/dhparam.pem
minimum-version: TLSv1.2
cipher-preference: server
hosts:
"example.com":
header.add:
strict-transport-security: "max-age=31536000; includeSubDomains; preload"
x-content-type-options: "nosniff"
x-frame-options: "SAMEORIGIN"
x-xss-protection: "1; mode=block"
content-security-policy: "default-src 'self'"
hosts:
"example.com":
paths:
"/admin":
file.dir: /var/www/admin
access-log: /var/log/h2o/admin-access.log
filter:
- name: rate-limit
config:
burst: 10
rate: 5
| Risk | Mitigation |
|---|---|
| 0-RTT Replay Attacks | Disable 0-RTT or implement replay protection |
| UDP Amplification | Implement connection rate limiting |
| Connection Migration | Validate connection migration tokens |
| Encryption Overhead | Monitor CPU usage under load |
listen:
port: 443
ssl:
certificate-file: /etc/ssl/certs/example.com.crt
key-file: /etc/ssl/private/example.com.key
http3: true
# Consider disabling 0-RTT for sensitive applications
⚠️ Note: HTTP/3 security is still being researched. Test thoroughly before deploying in production.
filter:
- name: rate-limit
config:
burst: 100
rate: 50
burst-delay: 100ms
delay: 20ms
max-request-entity-size: 10485760 # 10MB
http2:
idle-timeout: 30s
max-concurrent-streams: 100
hosts:
"example.com":
paths:
"/internal":
file.dir: /var/www/internal
access-log: /var/log/h2o/internal-access.log
# Restrict by IP (requires mruby or external filter)
access-log:
path: /var/log/h2o/access.log
format: '%v:%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"'
error-log: /var/log/h2o/error.log
log-level: warn
Monitor for:
# Configuration files
sudo chown root:root /etc/h2o/h2o.conf
sudo chmod 644 /etc/h2o/h2o.conf
# SSL private keys
sudo chown root:root /etc/ssl/private/*.key
sudo chmod 600 /etc/ssl/private/*.key
# Log directory
sudo chown h2o:adm /var/log/h2o
sudo chmod 755 /var/log/h2o
# Web root
sudo chown h2o:h2o /var/www/html
sudo chmod 755 /var/www/html
# /etc/systemd/system/h2o.service
[Service]
User=h2o
Group=h2o
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/var/log/h2o /var/lib/h2o
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
# Resource limits
LimitNOFILE=65535
CPUQuota=50%
MemoryLimit=512M
Report security vulnerabilities to:
See H2O Hardening for server-specific hardening details.