Cloudflare Discovers Race Condition in Hyper HTTP Library That Truncated Large Image Responses
Cloudflare engineers spent six weeks tracking down a race condition in the Rust-based hyper HTTP library that caused silent truncation of large image transformations on the edge network.
Cloudflare has disclosed a subtle race condition in the hyper HTTP library, a foundational Rust component used across its edge network, that caused large image transformation responses to be silently truncated. The bug, discovered during a December 2025 rearchitecture of the Images binding, resulted in responses returning HTTP 200 with no error logs despite delivering only a fraction of the expected data. Engineers spent six weeks isolating the issue before fixing it with just four lines of code.
The vulnerability emerged after Cloudflare replaced an internal intermediary service called FL with a new direct Unix socket binding between the Workers runtime and the Images service. While the change improved performance and decoupled release cycles, it introduced a timing-sensitive flaw in hyper's socket shutdown logic. When the reader on the other end of the connection was slower than the writer, hyper's internal buffer would fill up, and the library would issue a socket shutdown before all data had been flushed from its internal buffers to the kernel's outbound buffer.
Hyper, an open-source HTTP library written in Rust, is used extensively across Cloudflare's infrastructure to manage client connections. In the Images binding workflow, the Images service reads input, performs requested optimizations, and passes the entire encoded image to hyper as a single in-memory block. Hyper then writes this data into its own internal buffer and flushes it to the socket's outbound buffer. If the reader consumes data quickly, hyper flushes everything in one pass and safely shuts down the socket. But if the reader is even a few milliseconds slower, the outbound buffer fills, and hyper would shut down prematurely, leaving data stranded.
The first sign of trouble came from a customer with a layered image processing pipeline. Their worker used the Images binding to composite multiple large source images from R2 into a single JPEG, then further compressed and resized the result through the URL interface. The inner pipeline's return path silently truncated the response, causing the outer pipeline to fail with an 'end of file before message length reached' error. Because the inner pipeline returned HTTP 200, the truncation was invisible to standard monitoring.
Cloudflare's investigation revealed that the race condition only affected larger images where the processing time was long enough to create a timing window between hyper's internal buffer flush and the socket shutdown. Smaller images, which could be written and flushed in a single pass, were unaffected. The fix, implemented in hyper's source code, ensures that hyper waits for all data to be flushed from its internal buffer to the kernel's outbound buffer before issuing a socket shutdown.
Cloudflare has patched the vulnerability internally across its edge network and has contributed the fix to the upstream hyper project. The company noted that the bug did not affect other services using hyper because the timing window was specific to the direct Unix socket path used by the new Images binding architecture. No customer data was lost or exposed, as the truncation only affected image transformation responses, not stored data.
The incident highlights the challenges of debugging race conditions in high-performance networked systems, where timing differences of a few milliseconds can cause silent failures. Cloudflare's postmortem emphasizes the importance of thorough testing under varied latency conditions when rearchitecting critical infrastructure components.