Cloudflare disclosed a zero-day vulnerability on January 19 that let attackers completely bypass Web Application Firewall protections by exploiting the /.well-known/acme-challenge/ path used for SSL certificate validation. Millions of sites relying on Cloudflare’s WAF discovered that automation convenience created an invisible backdoor.
The ACME Path Bypass: When Automation Breaks Security
The bug existed in Cloudflare’s ACME HTTP-01 challenge handling. When processing requests to /.well-known/acme-challenge/, the system disabled WAF protections if the requested token matched ANY certificate challenge across their infrastructure—not just the target domain. Consequently, attackers could send arbitrary requests to protected origins with zero security filtering.
Security researcher FearsOff demonstrated this on three demo apps configured to block all traffic. Normal requests returned Cloudflare’s block page. However, appending /.well-known/acme-challenge/{token} bypassed the WAF entirely, allowing direct origin access.
Millions of sites trusted Cloudflare’s WAF as their only security layer. This vulnerability shattered that assumption—attackers could reach “protected” servers directly, exposing internal APIs, credentials, and server-side code never meant to be public.
Framework Exploits: Credentials and Code Exposed
FearsOff demonstrated framework-specific exploits that yielded real credentials. Spring Boot applications with Actuator enabled were particularly vulnerable. Moreover, using servlet traversal syntax ..;/ combined with the ACME bypass path, researchers accessed /actuator/env, exposing database connection strings and API keys.
Next.js applications leaked server-side rendering internals. Session secrets, backend API endpoints, and internal routing logic became accessible to anyone who knew where to look. Additionally, PHP applications with index.php routing became vulnerable to Local File Inclusion attacks.
These are mainstream frameworks running on millions of production servers. In fact, developers who followed security best practices and deployed behind Cloudflare’s WAF found their protections silently disabled by an automation shortcut they didn’t know existed.
The Hidden Cost of “Magic” Infrastructure
ACME HTTP-01 challenges require Certificate Authorities to validate domain control by fetching files from /.well-known/acme-challenge/. Cloudflare disabled WAF filtering for this path to ensure CA validation succeeded. Sensible in theory—catastrophic in practice.
The bug: Cloudflare disabled WAF protection when a token matched any challenge in their system, then failed to re-enable it when the token didn’t match the target domain. Furthermore, as FearsOff described it, this created “an implicit exception, intended to help certificate validation, that executed before customer blocking controls.”
This exposes a broader industry problem. “Magic” infrastructure features often hide dangerous security assumptions. Developers configured WAF rules assuming comprehensive protection, unaware of invisible bypass paths. Therefore, the automation promised zero-touch SSL—but the hidden cost was a hole in their security perimeter that no configuration could close.
Fast Patch, Late Disclosure
FearsOff reported the vulnerability through Cloudflare’s bug bounty on October 13, 2025. Cloudflare deployed a fix on October 27—a 14-day turnaround. However, public disclosure didn’t happen until January 19, 2026, nearly three months later. Meanwhile, Cloudflare claims “no evidence of malicious exploitation,” but that’s unprovable. The WAF was disabled during attacks, so malicious patterns wouldn’t appear in logs.
The patch is solid—no customer action required. Nevertheless, the incident highlights critical lessons. Consider DNS-01 ACME challenges instead of HTTP-01. DNS-01 validates through DNS TXT records rather than HTTP paths, eliminating HTTP-based bypass vectors entirely. Setup is more complex but high-security environments should evaluate the trade-off.
Implement defense in depth. WAF cannot be your only security layer. Origin firewalls, IP whitelisting, and least-privilege access provide backup protection when edge security fails. Question invisible automation features—what other “convenience bypasses” exist in your stack? Verify assumptions rather than trusting cloud providers have perfect architectures.
Key Takeaways
- The vulnerability is patched (October 27, 2025) with no customer action required—Cloudflare deployed the fix server-side across their global infrastructure.
- Audit your ACME implementation: If using HTTP-01 challenges, consider switching to DNS-01 for high-security environments to eliminate HTTP-based attack vectors entirely.
- Implement defense in depth: WAF plus origin firewall plus least-privilege access. Cloud edge security is powerful but shouldn’t be your only protective layer.
- Question “magic” automation: Invisible security exceptions in infrastructure are ticking time bombs. Verify that convenience features don’t create hidden vulnerabilities.
- Test security assumptions: Don’t assume your origin is protected—actively verify that WAF rules actually block unauthorized access attempts.
