Cloudflare Fixes Zero-Day Flaw That Allowed Attackers To Bypass Web Application Firewall

Cloudflare has patched a critical zero-day vulnerability in its Web Application Firewall (WAF) that allowed attackers to bypass customer-defined security rules and directly access protected origin servers, raising concerns about the security implications of automated certificate management systems widely used across the internet.

The flaw, discovered by security researchers at FearsOff, involved an unintended interaction between Cloudflare’s edge network and the Automatic Certificate Management Environment (ACME) protocol, a standard mechanism used by Certificate Authorities (CAs) such as Let’s Encrypt to verify domain ownership and issue SSL/TLS certificates.

At the center of the issue was the well-known ACME HTTP-01 validation path, /.well-known/acme-challenge/, a directory that exists on most modern websites to support automated certificate issuance and renewal. Under normal circumstances, this endpoint is accessed only briefly and exclusively by certificate validation bots, which retrieve a one-time token to confirm control of a domain.

According to FearsOff researchers, Cloudflare’s infrastructure treated traffic to this path as a special case. Requests targeting the ACME challenge directory were allowed to reach the origin server even when customers had explicitly configured WAF rules to block all inbound traffic except from trusted sources.

“This behavior effectively created a hidden tunnel through Cloudflare’s security layer,” the researchers said, noting that the exception was not visible to customers and could not be mitigated through configuration.

To determine whether the issue was limited to specific customer setups, FearsOff established several test environments using common web stacks, including PHP, Spring/Tomcat, and Next.js. These test hosts were configured with strict WAF policies designed to block all unsolicited traffic.

While standard requests were correctly intercepted and blocked by Cloudflare’s edge network, requests sent to the ACME challenge path bypassed WAF inspection entirely. Instead of receiving Cloudflare block pages, the researchers observed direct responses generated by the origin applications, typically framework-specific error pages such as HTTP 404 responses.

The results confirmed that the flaw was systemic rather than the result of customer misconfiguration.

Cloudflare later confirmed that the vulnerability originated in the logic used to support its own managed certificate services. To prevent interference with certificate issuance, Cloudflare temporarily disables certain security checks when serving valid ACME HTTP-01 challenge tokens for customer domains.

However, the implementation contained a critical logic error. If an incoming request targeted the ACME challenge path but did not correspond to an active Cloudflare-managed certificate order, the request skipped WAF evaluation altogether and was forwarded directly to the origin server.

What was intended to be a narrowly scoped exception for certificate validation was effectively transformed into a universal bypass for WAF protections on all Cloudflare-hosted sites.

The bypass opened the door to multiple high-risk attack vectors, particularly against applications that rely on Cloudflare’s WAF as a primary security control.

In Spring and Tomcat-based applications, researchers demonstrated servlet path traversal techniques using specially crafted URLs such as ..;/ to access restricted actuator endpoints. These endpoints exposed sensitive operational data, including environment variables, database credentials, API tokens, and cloud provider access keys.

Next.js applications using server-side rendering were also affected. Because the requests reached the origin directly, internal error messages and operational metadata—normally shielded from public access—were exposed.

PHP-based applications proved vulnerable as well. In cases where local file inclusion (LFI) flaws existed, attackers could exploit the WAF bypass to read arbitrary files from the server’s filesystem, significantly increasing the risk of data exposure or remote code execution.

The issue also undermined account-level WAF rules that block requests based on headers, geolocation, or authentication requirements, as these controls were entirely ignored for ACME-path traffic.

FearsOff reported the vulnerability to Cloudflare via the company’s HackerOne bug bounty program on October 9, 2025. Cloudflare began internal validation four days later, with HackerOne formally triaging the report on October 14.

After confirming the issue, Cloudflare deployed a permanent fix on October 27, modifying its edge logic to ensure that WAF and security controls are disabled only when a request precisely matches a valid ACME HTTP-01 challenge token for the specific hostname involved.

Post-remediation testing confirmed that WAF rules are now consistently enforced across all URL paths, including the previously exempt ACME challenge directory.

Cloudflare stated that no customer action is required and that it has found no evidence indicating the flaw was exploited in the wild. The company emphasized that the vulnerability has been fully resolved and that additional safeguards have been introduced to prevent similar issues in the future.

Read Cloudflare’s breakdown of how it mitigated the vulnerability HERE

The incident highlights the risks associated with complex edge-network logic and automated trust mechanisms. While ACME-based certificate automation has dramatically improved internet encryption adoption, the case demonstrates how narrowly scoped exceptions can unintentionally undermine layered security models when implemented at scale.

The lesson here is that security exceptions—even well-intentioned ones—must be treated as high-risk code paths. At the edge, a single logic error can have internet-wide consequences.