Skip to content
Tech News
← Back to articles

We found a bug in the hyper HTTP library

read original more articles
Why This Matters

This discovery highlights the importance of rigorous testing and maintenance of open-source libraries like hyper, which underpin critical infrastructure in the tech industry. The bug's impact on image processing at Cloudflare underscores how subtle race conditions can affect user experience and data integrity. Addressing such issues ensures more reliable and efficient services for developers and consumers alike.

Key Takeaways

12 min read

The Images service, built in Rust on Workers , runs on every machine in Cloudflare’s edge network. To handle client connections, we use hyper , an open-source HTTP library for Rust.

Last year, we introduced the Images binding to enable custom, programmatic workflows for processing remote images in Workers. At the end of 2025, we rearchitected the binding to provide a more direct, local connection between the Workers runtime and the Images service.

Shortly after rollout, we received reports that transformation requests from the binding were failing — but only intermittently and only for larger images. Even stranger, the responses for these requests returned a 200 status without any errors logged. The image data was simply cut short: A response that should have been two megabytes might arrive with a few hundred kilobytes instead.

We spent six weeks chasing a nearly invisible bug — a race condition that occurred only under specific conditions — in the hyper library that impacted how the Images binding returned processed image data back to the client. In the end, it took four lines of code to fix it.

Hops, handoffs, and hyper

When developers build on Cloudflare, they compose full-stack applications from a set of platform services that are accessible to Workers through bindings. Bindings provide direct APIs to resources on the Developer Platform like compute , storage , AI inference , and media processing .

The Images binding decouples image optimization from delivery; you can transcode, composite, or manipulate images without needing to return the output as an HTTP response. It also lets you apply optimization parameters in any order, rather than following the fixed sequence imposed by the URL interface . Here, a worker can pass image data directly to the Images API, chain operations together, and get the processed result back as a stream:

const result = await env.IMAGES .input(image) .transform({ width: 800, rotate: 90 }) .output({ format: "image/avif" }); return result.response();

At a high level, this is how image data moves through our various services:

... continue reading