A critical zero day vulnerability was found to have existed in Cloudflare’s Web Application Firewall, which enables attackers to bypass security controls and reach the origin servers directly through a certificate validation path.
The security experts at FearsOff have found that traffic sent towards the destination /.well-known/acme-challenge/, even if other traffic is being completely restricted by customer-based WAF rules, can still reach origins.
Automatic Certificate Management Environment (ACME) is an application-level protocol used to verify an SSL/TLS certificate by checking the domain ownership using a certificate authority.
For the HTTP-01 validation methodology, CAs expect the website to send out a single-use token located in /.well-known/acme-challenge/{token}. This is present on almost every contemporary website as a "quiet" control path for autonomous certificate issuance.
The design intention here is to limit access to the origin server to a single validation bot validating that particular file.
Cloudflare Zero-Day Vulnerability
FearsOff researchers found that vulnerability while reviewing applications, where WAF settings restrict global access and allow specific sources.
This was confirmed by the test request sent to the ACME challenge path, which bypassed the rules altogether with the origin server responding directly to the request, rather than Cloudflare’s block page.
In order to verify that this was not a tenant related misconfiguration, researchers created their own test systems at cf-php.fearsoff.org, cf-spring.fear
In the case where normal requests to the same hosts were being fulfilled by the block pages as expected, the ACME requests to the same paths received the origin generated responses.
The vulnerability stemmed from Cloudflare’s edge network processing logic related to ACME HTTP01 challenge paths on their network edge. When Cloudflare processed challenge token services related to Cloudflare managed cert orders, they disabled WAF features as they validate CA.
However, a serious weakness was discovered, wherein if the token was apportioned but failed to correlate to a Cloudflare managed certificate issuance request, then it did bypass WAF check altogether.
This kind of logic bug turned a narrowly defined certificate validation exception into a security bypass exception for all hosts protected by Cloudflare.
The bypass allowed researchers to demonstrate several attack vectors against common web frameworks. In the case of Spring/Tomcat applications, servlet path traversal techniques like .;/ enabled access to sensitive actuator endpoints exposing process environments, database credentials, API tokens, and cloud keys.
Next.js server side rendering applications leaked operational data via direct origin responses, never intended for public internet access.
PHP applications susceptible to local file inclusion vulnerabilities became exploitable; attackers could access the file system using malicious path parameters. Beyond framework specific attacks, account level WAF rules configured to block requests based on custom headers were completely ignored for ACME path traffic.
FearsOff reported the vulnerability through Cloudflare's HackerOne bug bounty program on October 9, 2025. Cloudflare initiated validation on October 13, 2025, and HackerOne triaged the issue on October 14, 2025.
A permanent fix was deployed by the company on October 27, 2025, which changed the code to only disable the security features for requests matching valid ACME HTTP-01 challenge tokens on the specific hostname.
Post fix testing showed that WAF rules are now uniformly applied across all the paths, including the previously vulnerable ACME challenge route. Cloudflare maintains that no customer action is needed, while confirming that there is no indication of malicious exploitation so far.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
