How Cloudflare Uncovered a Long-Standing Bug in the Hyper HTTP Library

Cloudflare · 22 Jun 2026 · 2 min read

#cloudflare

Cloudflare's engineering team recently uncovered a bug in the hyper HTTP library during a rewrite of their Images service binding. The bug, present from hyper 0.10.x through the current 1.x releases, affects applications that use hyper's HTTP/2 implementation, particularly those managing large numbers of concurrent connections.

The issue lies in hyper's internal h2 connection management. Under specific conditions, the library would drop an HTTP/2 connection without properly notifying the application layer, leading to silently dropped requests and wasted resources. The bug was triggered when the application sent a RST_STREAM frame shortly after a HEADERS frame. In such cases, hyper's state machine would incorrectly treat the connection as closed for further requests, but would not propagate the error to the user's code.

  • Concrete changes: The fix, implemented in hyper 0.14.27 and 1.1.5, ensures that the h2 connection close event is properly propagated when a RST_STREAM is sent immediately after headers. The patch modifies the internal dispatch logic in proto::h2::dispatch to correctly handle the GoAway and Reset states.
  • The bug was discovered while Cloudflare was refactoring their Images binding to use a more modern hyper version. The team noticed that after switching from hyper 0.12 to 1.x, some requests were timing out without any error logs.
  • Cloudflare contributed the fix upstream, and the hyper maintainers merged it promptly. Developers using hyper for HTTP/2 should update to the patched versions to avoid silent request drops.

For developers, this highlights the importance of thorough integration testing when upgrading dependencies, especially in high-concurrency environments. Even mature libraries like hyper can harbor subtle state-machine bugs that only manifest under specific load patterns.

Source: https://blog.cloudflare.com/hyper-bug/

Related

auto-curated · source linked above ← all news