CloudflareACME Path Vulnerability and Zero-Day Bypass of WAF Protections

A flaw within Cloudflare’s implementation of the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*) allowed requests to bypass Web Application Firewall (WAF) protections and reach origin servers directly, even when strict customer firewall rules were in place. This behaviour created a temporary zero-day bypass of configured security controls, potentially exposing protected hosts behind Cloudflare to unauthorized requests.
       The flaw specifically concerned how the edge network handled ACME HTTP-01 certificate validation requests for domains behind Cloudflare’s proxy services.

Affected Component

• Cloudflare Edge Network
• Automatic Certificate Management Environment (ACME) Logic
• Web Application Firewall (WAF)

Technical Details

1)       ACMEHTTP-01 Challenge Path

The ACME protocol is widely used for automated SSL/TLS certificate issuance. The HTTP-01 challenge requires a domain to serve a validation token at a predictable URL under/.well-known/acme-challenge/{token} to prove control to a Certificate Authority(CA). Cloudflare’s edge normally handles this automatically for managed certificates.

2)       Logic Flaw and WAF Bypass

Cloudflare’s internal logic temporarily disabled WAF features on ACME HTTP-01 challenge paths to ensure legitimate CA validation was not disrupted. However, due to a flaw in this logic, requests with tokens not matching a valid Cloudflare‐managedACME challenge were passed through to the customer’s origin without WAF evaluation or enforcement of configured security rules. This effectively permitted access to origin servers that should have been blocked.

Potential Misuse

While no widespread active exploitation has been publicly confirmed, researchers demonstrated that this bypass could be used to:

• Access protected endpoints on origin servers that would normally be blocked by WAF rules.
• Interact with application logic and frameworks (e.g., Spring, Next.js, PHP) that might otherwise be inaccessible.
• Amplify existing vulnerabilities (path traversal, local file inclusion) by reaching the backend directly.

The bypass does not grant arbitrary access to protected resources on its own, but it can facilitate exploitation of underlying server or application vulnerabilities that would normally be inaccessible.

Recommendation

1. Defense in Depth: Do not rely solely on Cloudflare for security. Ensure origin servers are configured to require authentication (e.g., Cloudflare Tunnel/Argo, or verifying JSON Web Tokens).
2. Audit Origin Logs: Review origin server access logs for unusual requests directed at /.well-known/acme-challenge/ from IPs not associated with legitimate ACME validation services.
3. Restrict Origin Access: Configure origin firewalls to only accept traffic from Cloudflare IP ranges.