Cloudflare has addressed a security vulnerability impacting its Computerized Certificates Administration Setting (ACME) validation logic that made it potential to bypass security controls and entry origin servers.
“The vulnerability was rooted in how our edge community processed requests destined for the ACME HTTP-01 problem path (/.well-known/acme-challenge/*),” the net infrastructure firm’s Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo stated.
The online infrastructure firm stated it discovered no proof that the vulnerability was ever exploited in a malicious context.
ACME is a communications protocol (RFC 8555) that facilitates automated issuance, renewal, and revocation of SSL/TLS certificates. Each certificates provisioned to a web site by a certificates authority (CA) is validated utilizing challenges to show area possession.
This course of is usually achieved utilizing an ACME shopper like Certbot that proves area possession by way of an HTTP-01 (or DNS-01) problem and manages the certificates lifecycle. The HTTP-01 problem checks for a validation token and a key fingerprint positioned within the net server at “https://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>” over HTTP port 80.
The CA’s server makes an HTTP GET request to that actual URL to retrieve the file. As soon as the verification succeeds, the certificates is issued and the CA marks the ACME account (i.e., the registered entity on its server) as approved to handle that particular area.
Within the occasion the problem is utilized by a certificates order managed by Cloudflare, then Cloudflare will reply on the aforementioned path and supply the token supplied by the CA to the caller. But when it doesn’t correlate to a Cloudflare-managed order, the request is routed to the client origin, which can be utilizing a special system for area validation.
The vulnerability, found and reported by FearsOff in October 2025, has to do with a flawed implementation of the ACME validation course of that causes sure problem requests to the URL to disable net software firewall (WAF) guidelines and permit it to succeed in the origin server when it ought to have been ideally blocked.
In different phrases, the logic didn’t confirm whether or not the token within the request truly matched an energetic problem for that particular hostname, successfully allowing an attacker to ship arbitrary requests to the ACME path and circumvent WAF protections totally, granting them the power to succeed in the origin server.
“Beforehand, when Cloudflare was serving an HTTP-01 problem token, if the trail requested by the caller matched a token for an energetic problem in our system, the logic serving an ACME problem token would disable WAF options, since Cloudflare could be straight serving the response,” the corporate defined.
“That is finished as a result of these options can intrude with the CA’s potential to validate the token values and would trigger failures with automated certificates orders and renewals. Nevertheless, within the situation that the token used was related to a special zone and never straight managed by Cloudflare, the request could be allowed to proceed onto the client origin with out additional processing by WAF rulesets.”
Kirill Firsov, founder and CEO of FearsOff, stated the vulnerability could possibly be exploited by a malicious person to acquire a deterministic, lengthy‑lived token and entry delicate information on the origin server throughout all Cloudflare hosts, opening the door to reconnaissance.
The vulnerability was addressed by Cloudflare on October 27, 2025, with a code change that serves the response and disables WAF options solely when the request matches a legitimate ACME HTTP-01 problem token for that hostname.
