Cloudflare, a leading provider of web security and performance services, recently addressed a critical zero-day vulnerability that allowed attackers to bypass its Web Application Firewall (WAF) protections and directly access protected origin servers. This flaw, discovered by security researchers at FearsOff, exploited the Automatic Certificate Management Environment (ACME) protocol’s certificate validation path, specifically targeting the /.well-known/acme-challenge/ directory.
Understanding the ACME Protocol and Its Role in Certificate Validation
The ACME protocol is widely used to automate the issuance and renewal of SSL/TLS certificates, ensuring secure communication over the internet. During the HTTP-01 validation method, Certificate Authorities (CAs) verify domain ownership by requesting that a website serve a unique token at the /.well-known/acme-challenge/{token} path. This mechanism is designed to be a controlled and secure process, allowing only the CA’s validation bot to access a specific file for verification purposes.
Discovery of the Vulnerability
FearsOff researchers identified the vulnerability while analyzing applications with WAF configurations that restricted global access, permitting only specific sources. They observed that requests directed at the ACME challenge path could circumvent WAF rules entirely, enabling direct communication with the origin server. This behavior was unexpected, as the WAF is intended to block unauthorized access attempts.
To validate their findings, the researchers set up controlled demonstration hosts, including cf-php.fearsoff.org, cf-spring.fearsoff.org, and cf-nextjs.fearsoff.org. While standard requests to these hosts were appropriately blocked by the WAF, requests targeting the ACME challenge path received responses directly from the origin servers, typically resulting in framework-specific 404 errors.
Technical Analysis of the Flaw
The root cause of this vulnerability lay in Cloudflare’s edge network processing logic for ACME HTTP-01 challenge paths. When Cloudflare managed certificate orders, it disabled WAF features for these specific paths to prevent interference with CA validation processes. However, a critical oversight occurred: if a request for an ACME challenge token did not correspond to a Cloudflare-managed certificate order, the system still bypassed WAF evaluation and forwarded the request directly to the customer’s origin server.
This misconfiguration effectively transformed a narrowly intended exception into a broad security loophole, exposing all hosts protected by Cloudflare to potential unauthorized access.
Potential Exploitation Scenarios
The implications of this vulnerability were significant, as it opened multiple attack vectors across various web frameworks:
– Spring/Tomcat Applications: Attackers could employ servlet path traversal techniques using sequences like `..;/` to access sensitive actuator endpoints. These endpoints could reveal critical information such as process environments, database credentials, API tokens, and cloud service keys.
– Next.js Applications: Server-side rendering applications built with Next.js could inadvertently expose operational data through direct origin responses. This data was not intended for public access and could include sensitive information about the application’s internal workings.
– PHP Applications: Websites utilizing PHP with local file inclusion vulnerabilities became susceptible to exploitation. Malicious actors could manipulate path parameters to access the file system, potentially leading to unauthorized data exposure or code execution.
Additionally, account-level WAF rules designed to block requests based on custom headers were rendered ineffective for ACME path traffic, further compromising security measures.
Timeline of Discovery and Remediation
The vulnerability was reported to Cloudflare through their HackerOne bug bounty program on October 9, 2025. Cloudflare initiated internal validation on October 13, 2025, and the issue was formally triaged by HackerOne on October 14, 2025. Recognizing the severity of the flaw, Cloudflare deployed a permanent fix on October 27, 2025.
The remediation involved modifying the edge network’s processing logic to ensure that WAF and other security features are disabled only when a request precisely matches a valid ACME HTTP-01 challenge token for the specific hostname involved. Post-remediation testing confirmed that WAF rules are now consistently enforced across all URL paths, including the previously vulnerable ACME challenge directory.
Cloudflare’s Response and Recommendations
Cloudflare has stated that no customer action is required, as the patch has been deployed across their network. Furthermore, they have found no evidence indicating that the flaw was exploited in the wild prior to its discovery and remediation.
This incident underscores the importance of continuous security assessments and prompt responses to identified vulnerabilities. Organizations are encouraged to:
– Regularly Review Security Configurations: Ensure that all security measures, including WAF rules, are correctly configured and up to date.
– Monitor for Unusual Activity: Implement robust monitoring to detect and respond to anomalous access patterns or unauthorized attempts to reach protected resources.
– Engage in Responsible Disclosure: Collaborate with security researchers and participate in bug bounty programs to identify and address vulnerabilities proactively.
Conclusion
The discovery and swift remediation of this zero-day vulnerability highlight the critical role of vigilant security practices and the value of collaboration between security researchers and service providers. By addressing such vulnerabilities promptly, organizations can maintain the integrity and trustworthiness of their services, ensuring the protection of their clients’ data and resources.
