Cloudflare has fixed a security flaw in its infrastructure that could allow attackers to bypass Web Application Firewall protections. The issue was linked to how Cloudflare handled ACME certificate validation requests. These requests are used to automatically issue and renew HTTPS certificates. The flaw affected how certain validation traffic was processed.
The vulnerability involved the ACME HTTP-01 challenge path used during domain verification. Normally, this path is trusted to allow certificate authorities to confirm domain ownership. Cloudflare temporarily relaxes some security checks for this process. However, not all requests to this path were fully validated.
Because of this logic issue, specially crafted requests could bypass Cloudflare’s WAF rules. Instead of being filtered, those requests could reach the origin server directly. This meant backend systems might be exposed to unauthorized traffic. Such access could weaken a site’s security posture.
In simple terms, the system trusted requests that appeared to be certificate checks without fully confirming them. Attackers could exploit this trust to slip past security defenses. The WAF, which normally blocks malicious traffic, was unintentionally skipped. This created a potential attack path.
The issue was discovered by external security researchers in October 2025. It was responsibly disclosed through Cloudflare’s bug bounty program. Cloudflare engineers investigated and confirmed the vulnerability. A fix was developed shortly after confirmation.
Cloudflare released a patch on October 27, 2025, to resolve the issue. The update ensures WAF protections are only relaxed for valid ACME challenges. Requests that do not exactly match a legitimate challenge are now blocked. Normal security rules now apply correctly.
According to Cloudflare, there is no evidence that the bug was exploited in real-world attacks. The company stated that customers do not need to take any action. The fix was applied automatically across Cloudflare’s global network. Monitoring systems continued protecting users during the process.
This incident highlights the risks that can come with automated security systems. Certificate automation is essential for modern web security. However, even small logic flaws can create serious security gaps. The fix reinforces the importance of careful validation and ongoing security testing.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
