Cloudflare Patches ACME Validation Flaw Preventing WAF Bypass to Origin Servers
Cloudflare, a leading web infrastructure and security company, has recently rectified a security vulnerability within its Automatic Certificate Management Environment (ACME) validation process. This flaw had the potential to allow unauthorized access to origin servers by circumventing established security protocols.
The issue was identified in the processing of requests directed to the ACME HTTP-01 challenge path (`/.well-known/acme-challenge/`). Cloudflare’s team, including Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo, acknowledged the problem, stating that the vulnerability was rooted in how their edge network handled these specific requests. Importantly, the company confirmed that there is no evidence suggesting that this vulnerability was exploited maliciously.
Understanding ACME and Its Role in Web Security
The ACME protocol, as defined in RFC 8555, is instrumental in automating the issuance, renewal, and revocation of SSL/TLS certificates. These certificates are essential for encrypting web traffic and verifying the authenticity of websites. To ensure that a certificate applicant genuinely controls a domain, Certificate Authorities (CAs) employ challenges, such as the HTTP-01 challenge.
In the HTTP-01 challenge, the domain owner places a specific validation token and key fingerprint at a designated URL (`https://
The Vulnerability’s Mechanism
When a certificate order is managed by Cloudflare, the company responds to the ACME challenge path by providing the token supplied by the CA. If the request does not correspond to a Cloudflare-managed order, it is forwarded to the customer’s origin server, which may utilize a different system for domain validation.
The vulnerability, discovered and reported by the security firm FearsOff in October 2025, stemmed from a flawed implementation in Cloudflare’s ACME validation process. This flaw allowed certain challenge requests to bypass Web Application Firewall (WAF) rules, granting direct access to the origin server when such access should have been restricted.
Specifically, the validation logic failed to confirm whether the token in the request matched an active challenge for the targeted hostname. This oversight enabled attackers to send arbitrary requests to the ACME path, effectively circumventing WAF protections and reaching the origin server without proper authorization.
Cloudflare’s Response and Resolution
Cloudflare explained that, previously, when serving an HTTP-01 challenge token, if the requested path matched a token for an active challenge in their system, the logic would disable WAF features to prevent interference with the CA’s validation process. However, if the token was associated with a different zone not directly managed by Cloudflare, the request would proceed to the customer origin without WAF rule processing.
Kirill Firsov, founder and CEO of FearsOff, highlighted the potential risks, noting that a malicious actor could exploit this vulnerability to obtain a deterministic, long-lived token, thereby accessing sensitive files on the origin server across all Cloudflare hosts. This scenario could facilitate reconnaissance activities and further exploitation.
Cloudflare addressed the vulnerability on October 27, 2025, by implementing a code change that ensures the response is served and WAF features are disabled only when the request matches a valid ACME HTTP-01 challenge token for the specific hostname. This update effectively closes the loophole that allowed unauthorized access to origin servers.
Implications and Best Practices
This incident underscores the critical importance of rigorous validation processes in web security protocols. Even minor oversights can lead to significant vulnerabilities, potentially exposing sensitive data and systems to unauthorized access.
Organizations utilizing ACME for certificate management should ensure that their implementations are robust and regularly reviewed for potential security flaws. Employing comprehensive security measures, including up-to-date WAF configurations and continuous monitoring, is essential to safeguard against similar vulnerabilities.
Furthermore, this case highlights the value of collaboration between security researchers and organizations. The prompt identification and reporting of the vulnerability by FearsOff, coupled with Cloudflare’s swift response, exemplify effective practices in maintaining and enhancing web security.
Conclusion
Cloudflare’s proactive approach in addressing the ACME validation vulnerability reinforces the company’s commitment to security and the protection of its clients’ assets. This incident serves as a reminder of the ever-evolving nature of cybersecurity threats and the necessity for continuous vigilance and improvement in security protocols.
