H2O Webserver Stack-based buffer overflow

Stack-based vulnerability on H2O Webserver

The past few weeks I have been considering doing some changes to my application stack. Currently, my stack consists of OpenBSD OS with Nginx as a load balancer and a web application written in Golang. I wanted to give H2O server a try. H2O is a high performance web server and web library written in C language.

The performance of the server is really good, no questions there. Next, I wanted to do my own security audit. After several hours of fuzzing the network protocol and doing other local checks I was finally able to crash the server. I did a little more digging and discovered a pattern that seemed to trigger the issue. With the help of gdb I was able to confirm it was a stack-based buffer overflow.

Image 1 - Crash inside the yoml__resolve_merge() function. H2O Webserver crash - yoml__resolve_merge()

After close inspection I noticed that different input patterns triggered the crash in different locations inside the program.

Image 2 - Crash inside the yoml_find_anchor() function. H2O Webserver crash - yoml_find_anchor()

Vulnerability Details


Under certain conditions, the program fails to properly parse anchors and references ('&' and '*').

Versions affected

H2O v2.2.5 and v2.3.0-beta1 are confirmed to be vulnerable.

Vulnerability details

Stack based buffer overflow.


Server crashes. Especially crafted input may allow an attacker to escalate privileges.

Testing for the vulnerability

Here is a non-weaponized configuration file that triggers the crash. Just pass this file with the -c flag in the command line to H2O to test if your server is affected.


As of March 18, 2019, I have contacted the development team. I'm waiting for confirmation from their side. Update March 23th, 2019: Developer is aware of the issue, we had internal discussion and I have provided several test cases. As exploitation is difficult with no privilege escalation in the default install, the overall risk is low.