Critical Zero-Day in Cloudflare WAF Exposed Origin Servers to Bypass Attacks
Security researchers from FearsOff uncovered a zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) that allowed attackers to bypass security controls and directly access protected origin servers. The flaw, discovered in October 2025, stemmed from improper handling of ACME HTTP-01 challenge paths, which are used for automated SSL/TLS certificate validation.
The vulnerability enabled requests to the /.well-known/acme-challenge/ directory to evade WAF rules entirely, even when customer configurations explicitly blocked all other traffic. Normally, this path is restricted to Certificate Authorities (CAs) for domain validation, but the flaw turned it into an unintended gateway to origin servers.
Researchers demonstrated the issue on test hosts (cf-php.fearsoff.org, cf-spring.fearsoff.org, and cf-nextjs.fearsoff.org), where ACME path requests returned origin-generated responses including framework errors and sensitive data while normal requests were correctly blocked. The root cause was a logic error in Cloudflare’s edge network: if a requested token didn’t match a Cloudflare-managed certificate order, the WAF was completely bypassed, allowing direct access to the origin.
Exploitation risks included:
- Spring/Tomcat applications: Path traversal attacks exposing database credentials, API tokens, and cloud keys via actuator endpoints.
- Next.js applications: Leakage of server-side rendering data through unintended public responses.
- PHP applications: Exploitation of local file inclusion vulnerabilities via malicious path parameters.
- Custom WAF rules: Bypass of header-based blocking for ACME path traffic.
FearsOff reported the vulnerability via Cloudflare’s HackerOne bug bounty program on October 9, 2025. Cloudflare validated the issue on October 13, triaged it on October 14, and deployed a permanent fix on October 27, ensuring WAF rules now apply uniformly to all paths. The company confirmed no evidence of malicious exploitation and stated that no customer action was required.
Source: https://cybersecuritynews.com/cloudflare-zero-day-vulnerability/
Cloudflare cybersecurity rating report: https://www.rankiteo.com/company/cloudflare
"id": "CLO1768841812",
"linkid": "cloudflare",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All Cloudflare WAF customers',
'industry': 'Technology/Cloud Services',
'name': 'Cloudflare',
'type': 'Cybersecurity Provider'}],
'attack_vector': 'ACME HTTP-01 challenge path bypass',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Database credentials',
'API tokens',
'Cloud keys',
'Server-side rendering data']},
'date_detected': '2025-10',
'date_resolved': '2025-10-27',
'description': 'Security researchers from FearsOff uncovered a zero-day '
'vulnerability in Cloudflare’s Web Application Firewall (WAF) '
'that allowed attackers to bypass security controls and '
'directly access protected origin servers. The flaw stemmed '
'from improper handling of ACME HTTP-01 challenge paths, which '
'are used for automated SSL/TLS certificate validation. The '
'vulnerability enabled requests to the '
'`/.well-known/acme-challenge/` directory to evade WAF rules '
'entirely, turning it into an unintended gateway to origin '
'servers.',
'impact': {'data_compromised': 'Database credentials, API tokens, cloud keys, '
'server-side rendering data, local file '
'inclusion vulnerabilities',
'operational_impact': 'Potential unauthorized access to origin '
'servers, bypass of WAF rules',
'systems_affected': 'Origin servers protected by Cloudflare WAF'},
'investigation_status': 'Resolved',
'lessons_learned': 'Improper handling of ACME HTTP-01 challenge paths can '
'create unintended bypass vectors in WAF systems. Regular '
'audits of edge network logic are necessary to prevent '
'similar vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Permanent fix deployed to '
'ensure WAF rules apply '
'uniformly to all paths, '
'including ACME challenge '
'directories.',
'root_causes': 'Logic error in Cloudflare’s edge '
'network where ACME path requests '
'with non-matching tokens bypassed '
'WAF rules entirely.'},
'recommendations': 'Cloudflare customers were advised that no action was '
'required post-fix. Organizations should verify WAF rule '
'consistency across all paths, including ACME challenge '
'directories.',
'references': [{'source': 'FearsOff Research'},
{'source': 'Cloudflare HackerOne Report'}],
'response': {'communication_strategy': 'Public disclosure via HackerOne and '
'company statement',
'containment_measures': 'Permanent fix deployed to ensure WAF '
'rules apply uniformly to all paths',
'remediation_measures': 'Cloudflare validated and triaged the '
'issue, deploying a fix on October 27, '
'2025',
'third_party_assistance': 'FearsOff (security researchers)'},
'stakeholder_advisories': 'Cloudflare confirmed no evidence of malicious '
'exploitation and stated no customer action was '
'required.',
'title': 'Critical Zero-Day in Cloudflare WAF Exposed Origin Servers to '
'Bypass Attacks',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'Improper handling of ACME HTTP-01 challenge paths '
'in Cloudflare WAF'}