Cloudflare Zero-Day Vulnerability Enables Any Host Access Bypassing Protections
Cyber Security News • • business
Key Points:
- A critical zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) allowed attackers to bypass security controls by exploiting the ACME HTTP-01 certificate validation path, enabling direct access to protected origin servers.
- The flaw arose because Cloudflare disabled WAF features for ACME challenge requests to avoid interfering with certificate validation, but requests with invalid tokens bypassed WAF checks entirely and reached the origin server.
- Researchers demonstrated multiple attack vectors exploiting this bypass, including access to sensitive endpoints in Spring/Tomcat apps, data leaks in Next.js apps, and file system access in vulnerable PHP applications, while account-level WAF rules were ignored for these requests.
- Cloudflare was notified on October 9, 2025, and deployed a
%3Amax_bytes(150000)%3Astrip_icc()%2FFoods-You-Should-Buy-Every-Week-if-Youre-Taking-Ozempic-7bc85d310f074e0bacd33383c26fa41c.jpg?format=webp&w=1280)