Cloudflare Zero-Day Vulnerability Allows Unlimited Host Access, Bypassing Protections
A newly discovered zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) has raised significant security concerns. This flaw allowed potential attackers to bypass security controls and gain unrestricted access to protected servers via a certificate validation process.
Understanding the Vulnerability
The vulnerability was identified by security researchers at FearsOff. They found that requests aimed at the /.well-known/acme-challenge/ directory could circumvent customer-configured WAF rules, which typically block other traffic.
How the ACME Protocol Works
The Automatic Certificate Management Environment (ACME) protocol helps automate the verification of domain ownership for SSL/TLS certificates. During the HTTP-01 validation process, Certificate Authorities (CAs) expect websites to serve a one-time token located at:
- /.well-known/acme-challenge/{token}
This path is ordinarily a covert maintenance route for automated certificate handling, designed to allow limited access for validation bots only.
Critical Findings by FearsOff Researchers
The vulnerability surfaced while FearsOff analyzed applications where WAF settings imposed strict access controls. Their testing demonstrated that requests targeting the ACME challenge path completely bypassed WAF rules, leading to direct responses from the origin server instead of Cloudflare’s usual block page.
Controlled Demonstration Hosts
Researchers established test environments at:
- cf-php.fearsoff.org
- cf-spring.fearsoff.org
- cf-nextjs.fearsoff.org
Standard requests to these URLs encountered block pages as expected. However, requests to the ACME challenge paths resulted in origin responses, such as framework-specific 404 errors, indicating a significant issue.
Root Cause of the Flaw
The vulnerability stemmed from Cloudflare’s processing logic for ACME HTTP-01 challenge paths. Notably, when the challenge tokens were issued for Cloudflare-managed certificates, the WAF features were disabled to ensure CA interaction was unhindered. A flaw in this design allowed requests without matching tokens to completely bypass WAF evaluation.
Potential Attack Vectors Exposed
This security flaw introduced various attack vectors against common web frameworks. Key findings included:
- Spring/Tomcat: Attackers could exploit servlet path traversal techniques to access sensitive data.
- Next.js: Sensitive operational data could be leaked via unintended origin responses.
- PHP: Vulnerabilities led to local file inclusion, allowing file system access through malicious parameters.
Additionally, WAF rules blocking requests based on custom headers were ignored for traffic through the ACME path.
Reporting and Resolution Timeline
FearsOff reported this vulnerability through Cloudflare’s HackerOne bug bounty program on October 9, 2025. Validation efforts commenced on October 13, and by October 14, the issue was triaged. A permanent fix was deployed by October 27, 2025.
This fix modified the code to disable security features exclusively for valid ACME HTTP-01 challenge tokens associated with specific hostnames. Post-deployment tests confirmed that WAF rules now apply consistently across all paths, including the previously affected ACME challenge route.
Conclusion
Cloudflare has indicated no action is required from customers and reported no evidence of malicious exploitation. As cybersecurity threats continue to evolve, continuous monitoring is essential. Stay informed with daily updates on cybersecurity trends by following us on Google News, LinkedIn, and X.
