A shocking revelation has emerged in the world of cybersecurity, highlighting a critical vulnerability in Cloudflare's Web Application Firewall (WAF). This zero-day flaw, discovered by the security researchers at FearsOff, has the potential to shake up the online security landscape.
Imagine a scenario where attackers can bypass all security measures and gain direct access to protected servers, and that's exactly what this vulnerability allows. But here's where it gets controversial: the issue lies in a specific certificate validation process, which, when exploited, opens a backdoor to sensitive data.
The Automatic Certificate Management Environment (ACME) protocol, designed to automate SSL/TLS certificate validation, has an unintended consequence. In the HTTP-01 validation method, a one-time token is served at a specific path, /.well-known/acme-challenge/{token}. This path, intended for a single validation bot, has become a potential gateway for attackers.
FearsOff researchers stumbled upon this vulnerability while reviewing applications with specific WAF configurations. They found that requests directed at the ACME challenge path bypassed all WAF rules, allowing the origin server to respond directly. This meant that even with global access blocked, attackers could still find a way in.
To demonstrate the severity of the issue, researchers created controlled demonstration hosts. Normal requests were blocked as expected, but ACME path requests revealed a different story: origin-generated responses, often framework errors, were returned.
The root cause? A logic error in Cloudflare's edge network processing for ACME HTTP-01 challenge paths. When Cloudflare served challenge tokens for its managed certificate orders, WAF features were disabled to avoid interference with validation. However, if the token didn't match a Cloudflare-managed order, the request bypassed WAF evaluation entirely.
This narrow exception became a broad security bypass, affecting all hosts behind Cloudflare protection. Researchers were able to demonstrate multiple attack vectors, exposing sensitive data in various web frameworks. From Spring/Tomcat applications to Next.js server-side rendering, and even PHP applications with local file inclusion vulnerabilities, the impact was widespread.
The vulnerability also allowed attackers to bypass account-level WAF rules configured to block requests based on custom headers. This meant that even carefully crafted security measures were rendered useless for ACME path traffic.
FearsOff reported this critical issue through Cloudflare's HackerOne bug bounty program on October 9, 2025. Cloudflare initiated validation promptly, and a permanent fix was deployed on October 27, 2025. The fix ensures that security features are only disabled when requests match valid ACME HTTP-01 challenge tokens for the specific hostname.
Cloudflare has stated that no customer action is required and that there is no evidence of malicious exploitation. However, this incident serves as a stark reminder of the ever-evolving nature of cybersecurity threats.
Stay informed and follow us on Google News, LinkedIn, and X for daily updates on cybersecurity. We'd love to hear your thoughts and insights on this critical vulnerability and its implications. What are your thoughts on this security bypass? Do you think it could have been prevented? Join the discussion and share your comments!
