A massive blind spot in Cloudflare’s security recently left millions of servers exposed to a critical zero-day exploit. White-hat hackers found a way to bypass the Web Application Firewall (WAF) and access private data by exploiting HTTPS certificate renewals.
Cloudflare’s WAF had a huge blind spot – it turned a blind eye to URLs meant for HTTPS certificate renewals, according to the disclosure by the security researchers at FearsOff.
WAF is a shield that guards servers and applications against requests from external attackers, filtering all undesired traffic and mitigating potential attacks that would otherwise succeed if the servers were left exposed.
However, an inadvertent misconfiguration caused Cloudflare’s WAF to “step aside” when the requests landed on the path “/.well-known/acme-challenge/.”
This URL path is intended for HTTPS certificate authorities (CAs): every few months, when websites automatically renew their certificates, the CA visits this URL to check for matching tokens.
Poking this specific route, the researchers were shocked to find that the origin server responded directly, and Cloudflare was no longer acting as a barrier.
This exposes a broad range of vulnerabilities that attackers can exploit across many web platforms, including Spring/Tomcat, Next.js, PHP, and others. By crafting specific URLs, the researchers were able to access private environment files and other sensitive data.
“Many real applications make decisions based on headers or pass header values into downstream code. When WAF rules that police headers are skipped, entire classes of issues regain a route to the origin,” the Fearsoff researchers explained.
The researchers showcased several attacks that would normally be blocked by the WAF. By exploiting PHP routing bugs, attackers can access the “/etc/hosts” file, pivot to steal an entire database. Similarly, the environment file from a Tomcat server can be extracted, which may contain sensitive credentials. Next.js servers can be forced to expose ”operational details that were never intended to be reachable from the public internet.”
Hackers can also use other tricks, such as poisoning a site’s cache to serve malicious data to users, overriding administrative settings, and revealing other secrets.
“Using a well-known traversal quirk in some servlet stacks (..;/), the request could land on /actuator/env and return process environment and configuration. That data often includes sensitive values – database URLs, API tokens, cloud keys – and it materially raises the blast radius of any mistake in the origin,” the researchers warned.
The flaw is patched – no action necessary
The researchers responsibly disclosed the bug to Cloudflare, and the fix was deployed back in October 2025
“Cloudflare has patched this vulnerability, and there is no action necessary for Cloudflare customers. There is no evidence of any malicious actor abusing this vulnerability,” the tech giant said in a blog post.
Cloudflare also explained that before the fix, it forwarded the specific requests to the customer’s server to avoid interfering with third-party domain validation processes the customer might have been running.
The firm fixed the issue by changing its code so that the WAF remains active unless a request is confirmed as a real certificate verification request (ACME HTTP-01 challenge) for that website.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked