A critical zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) allowed attackers to bypass security controls and directly access protected origin servers.
Security researchers from FearsOff discovered on October 9, 2025, that requests targeting a specific certificate-validation path could completely circumvent customer-configured WAF rules designed to block unauthorized traffic.
The Hidden Backdoor in Certificate Validation
The vulnerability exploited a path used by the Automatic Certificate Management Environment (ACME) protocol.
ACME automates SSL/TLS certificate issuance by having certificate authorities verify domain ownership through a specific URL pattern: /.well-known/acme-challenge/{token}.
This path is supposed to be a narrow, controlled gateway used only for certificate validation robots to verify domain ownership.
Cloudflare’s edge network contained a logic flaw in how it processed requests to this ACME challenge path.
When any request targeted /.well-known/acme-challenge/*, the system would turn off WAF security features to prevent interference with legitimate certificate validation.
However, the code failed to verify whether the token in the request actually matched an active challenge for that specific hostname.
This meant attackers could send arbitrary requests to the ACME path and bypass WAF protections entirely, reaching the origin server directly.
FearsOff researchers created demonstration environments to prove the severity of this bypass.
They configured WAF rules to block all traffic to test domains, including cf-php.fearsoff.org, cf-spring.fearsoff.org, and cf-nextjs.fearsoff.org.
Routine requests to these domains correctly returned Cloudflare block pages. However, identical requests targeting the ACME challenge path received responses directly from origin servers, bypassing all security controls.
The impact extended beyond simple access. On Spring Boot applications, researchers used servlet path traversal techniques (e.g., ..;/) to access sensitive actuator endpoints, such as /actuator/env, which exposed environment variables, database credentials, and API tokens.
On Next.js applications, server-side rendering logic exposes operational details that are never intended for public access. PHP applications with local file inclusion vulnerabilities became exploitable, allowing attackers to read system files like /etc/hosts.
Account-Level Rules Completely Ignored
To confirm this wasn’t limited to framework error pages, researchers configured account-level WAF rules to block requests containing a specific test header (X-middleware-subrequest). At typical paths, these rules correctly blocked flagged requests.
The identical request targeting the ACME challenge path was allowed through without evaluation.
This meant that entire classes of header-based attacks, including SQL injection via header concatenation, server-side request forgery via X-Forwarded-Host, cache poisoning, and HTTP method override tricks, could reach vulnerable origins.
Cloudflare deployed a permanent fix on October 27, 2025, modifying the ACME challenge logic only to turn off WAF features when the request token matches a valid, active challenge for that specific hostname.
The vulnerability timeline shows responsible disclosure: the report was submitted via HackerOne on October 9; vendor validation began on October 13; HackerOne triaged it on October 14; and the final fix was deployed on October 27.
Cloudflare confirmed that no customer action is required and stated they found no evidence of malicious exploitation.
The collaboration involved the Crypto.com Security Team for independent verification. It worked directly with Cloudflare CEO Matthew Prince to expedite the patch.
The bug highlights how maintenance paths intended for automation can become dangerous attack vectors when security controls apply inconsistently across different code paths.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.