Cloudflare's Zero-Day Vulnerability: Unlocking Unprotected Origins
A critical zero-day vulnerability in Cloudflare's Web Application Firewall (WAF) has been uncovered, allowing attackers to bypass security controls and directly access protected origin servers. This vulnerability, discovered by security researchers from FearsOff, highlights a significant flaw in the way Cloudflare handles requests targeting the /.well-known/acme-challenge/ directory.
The Automatic Certificate Management Environment (ACME) protocol, used for automating SSL/TLS certificate validation, is at the heart of this issue. In the HTTP-01 validation method, Certificate Authorities (CAs) expect websites to serve a one-time token at /.well-known/acme-challenge/{token}. While this path is designed to limit access to a single validation bot, it has been exploited to create a broader security concern.
FearsOff researchers found that WAF configurations, which typically block global access and permit only specific sources, could be bypassed when requests were directed at the ACME challenge path. This allowed the origin server to respond directly, bypassing Cloudflare's block page and potentially exposing sensitive data.
To demonstrate the vulnerability, researchers created controlled demonstration hosts at cf-php.fearsoff.org, cf-spring.fearsoff.org, and cf-nextjs.fearsoff.org. Normal requests to these hosts functioned as expected, but ACME path requests returned origin-generated responses, often revealing framework 404 errors. The root cause was a logic error in Cloudflare's edge network processing for ACME HTTP-01 challenge paths.
When Cloudflare served challenge tokens for its own managed certificate orders, the system disabled WAF features to prevent interference with CA validation. However, a critical flaw emerged: if the requested token didn't match a Cloudflare-managed certificate order, the request bypassed WAF evaluation entirely and proceeded directly to the customer origin. This logic error transformed a narrow certificate validation exception into a broad security bypass affecting all hosts behind Cloudflare protection.
The bypass enabled researchers to demonstrate multiple attack vectors against common web frameworks. On Spring/Tomcat applications, servlet path traversal techniques using ..;/ accessed sensitive actuator endpoints, exposing process environments, database credentials, API tokens, and cloud keys. Next.js server-side rendering applications leaked operational data through direct origin responses that were never intended for public internet access. PHP applications with local file inclusion vulnerabilities became exploitable, allowing attackers to access the file system via malicious path parameters.
FearsOff reported the vulnerability through Cloudflare's HackerOne bug bounty program on October 9, 2025. Cloudflare promptly initiated validation on October 13, 2025, and HackerOne triaged the issue on October 14, 2025. A permanent fix was deployed on October 27, 2025, modifying the code to disable security features only when requests match valid ACME HTTP-01 challenge tokens for the specific hostname. Post-fix testing confirmed that WAF rules now apply uniformly across all paths, including the previously vulnerable ACME challenge route.
Cloudflare assured that no customer action is required and confirmed that no evidence of malicious exploitation has been found. The company's swift response and resolution of this zero-day vulnerability demonstrate their commitment to maintaining a secure and reliable service for their users.
