Cloudflare has addressed a security vulnerability that affects Automated Certificate Management Environment (ACME) validation logic and allows access to origin servers by bypassing security controls.
“The vulnerability was due to the way our edge network handled requests addressed to the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*),” said Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo of the web infrastructure company.
The web infrastructure company said it found no evidence that the vulnerability had been exploited in a malicious situation.
ACME is a communications protocol (RFC 8555) that facilitates the automatic issuance, renewal, and revocation of SSL/TLS certificates. Every certificate provisioned to a website by a Certificate Authority (CA) is verified using a challenge that proves ownership of the domain.
This process is typically accomplished using an ACME client such as Certbot, which proves domain ownership through HTTP-01 (or DNS-01) challenges and manages the certificate lifecycle. The HTTP-01 challenge checks the verification token and key fingerprint on the web server “https:///.well-known/acme-challenge/” over HTTP port 80.
The CA’s server makes an HTTP GET request to that exact URL to retrieve the file. If validation is successful, a certificate is issued and the CA marks the ACME account (that is, the registered entity on the server) as authorized to manage that particular domain.
When a challenge is used by ordering a certificate managed by Cloudflare, Cloudflare responds with the path described above and provides the token provided by the CA to the caller. However, if it’s not associated with a Cloudflare-managed order, the request is routed to the customer’s origin, which may use a different system for domain verification.
The vulnerability, discovered and reported by FearsOff in October 2025, involves a flaw in the implementation of the ACME validation process that allows certain challenge requests to a URL to override Web Application Firewall (WAF) rules and reach the origin server when ideally they should be blocked.
This means that the logic cannot verify whether the token in the request actually matches an active challenge for that particular hostname, effectively allowing an attacker the ability to send arbitrary requests to the ACME path, completely bypassing WAF protection, and reaching the origin server.
“Previously, when Cloudflare provided HTTP-01 challenge tokens, the logic providing ACME challenge tokens disabled WAF functionality because if the path requested by the caller matched an active challenge token in the system, Cloudflare would provide a direct response,” the company explained.
“This is done because these features can interfere with the CA’s ability to validate the token value and cause automatic certificate ordering and renewal to fail. However, in scenarios where the used token is associated with another zone and is not directly managed by Cloudflare, the request is allowed to proceed to the customer’s origin without further processing by the WAF ruleset.”
Kirill Firsov, founder and CEO of FearsOff, said a malicious user could exploit this vulnerability to obtain deterministic long-lived tokens and access sensitive files on the origin servers of all Cloudflare hosts, opening the door to reconnaissance.
This vulnerability was resolved by Cloudflare on October 27, 2025 with a code change that disables WAF functionality by providing a response only if the request matches a valid ACME HTTP-01 challenge token for that hostname.
Source link
