Security Vulnerability Remediation (Affected Versions: < 10.23.3)

[eastspire]

---

Security & Behavior Regression Notice

Under keep-alive connections, the same instance could be reused multiple times, leading to cross-request context state leakage.
The ctx lifecycle was not fully isolated per request, which is a long-standing design issue rather than one newly introduced by this change.

A recent modification further exposed this behavior by causing ctx.aborted() and ctx.closed() to stop working correctly, which broke request interception and lifecycle hooks.

Affected code:
https://github.com/hyperlane-dev/hyperlane/blob/a8efce23092098bee023911c30ecd3807225c754/src/server/impl.rs

Impact

• ctx.aborted and ctx.closed no longer reflected the actual connection state
• Request interception and lifecycle-based controls became ineffective
• Under keep-alive connections, a single ctx instance could be reused across multiple requests, resulting in cross-request context state leakage

Fixes

• v10.23.1 — Restored ctx.aborted() behavior and lifecycle interception f5565ba

• v10.23.3 — Ensured ctx is no longer reused under keep-alive connections, preventing cross-request context state leakage 87f6745

Recommendation

Users are strongly advised to upgrade to v10.23.3 or later to ensure correct request isolation and lifecycle handling.

---

Minimal Reproduction Demo

With the problematic code, when accessing http://127.0.0.1:80, the console will sequentially output "Middleware1 reached" and "Middleware2 reached".
The fact that "Middleware2 reached" is printed is not the expected behavior, because the first middleware should have aborted the subsequent lifecycle processing.

use hyperlane::*;

struct Middleware1;

struct Middleware2;

impl ServerHook for Middleware1 {
    async fn new(_ctx: &hyperlane::Context) -> Self {
        Self
    }

    async fn handle(self, ctx: &Context) {
        println!("Middleware1 reached");
        ctx.aborted().await;
    }
}

impl ServerHook for Middleware2 {
    async fn new(_ctx: &hyperlane::Context) -> Self {
        Self
    }

    async fn handle(self, _ctx: &Context) {
        println!("Middleware2 reached");
    }
}

#[tokio::main]
async fn main() {
    Server::new()
        .await
        .request_middleware::<Middleware1>()
        .await
        .request_middleware::<Middleware2>()
        .await
        .run()
        .await
        .unwrap()
        .wait()
        .await;
}

Why This Issue Was Not Detected During Testing

The issue was not identified during the testing phase because the unit test coverage was incomplete. The test cases determined whether a request was successfully sent solely based on the response result, rather than checking the console output.

Before sending a response, the framework performs a real-time interruption state check. As a result, when the context is marked as interrupted, the response is neither processed nor sent, making the anomaly undetectable from the response layer.