Cloudflare has fixed a security issue in its Automatic Certificate Management Environment (ACME) validation logic that allowed security controls to be bypassed and traffic to reach protected origin servers.

“The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*),” the web infrastructure company’s Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo said.

The company said internal review and telemetry did not uncover any indication that the flaw had been abused for real-world attacks.

ACME is a communications protocol (RFC 8555) used to automatically issue, renew, and revoke SSL/TLS certificates. Each certificate a certificate authority (CA) provisions for a website is tied to a challenge flow that proves control of the target domain.

This process is typically handled by an ACME client such as Certbot, which proves domain ownership using an HTTP-01 (or DNS-01) challenge and automates certificate lifecycle operations. For HTTP-01, the CA expects to find a validation token and key fingerprint on the web server at “https://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>” over HTTP port 80.

The CA’s server then sends an HTTP GET to that specific URL to retrieve the challenge file. If validation succeeds, the CA issues the certificate and marks the associated ACME account (the registered entity on the CA side) as authorized to manage certificates for that domain.

When the challenge is for a certificate order managed by Cloudflare, Cloudflare responds directly on that path and returns the CA-provided token to the requesting CA. If the request does not map to an order Cloudflare manages, the traffic is forwarded to the customer origin, which may rely on a different implementation for domain validation.

The vulnerability, identified and disclosed by FearsOff in October 2025, stems from a faulty ACME validation implementation in which specific challenge requests to the ACME URL path caused web application firewall (WAF) rules to be turned off, allowing requests to hit the origin server that otherwise should have been blocked.

Effectively, the logic did not confirm that the token in the incoming request was tied to an active challenge for that particular hostname. As a result, an attacker could send crafted requests to the ACME path, fully bypassing WAF inspection and reaching the origin server directly.

“Previously, when Cloudflare was serving an HTTP-01 challenge token, if the path requested by the caller matched a token for an active challenge in our system, the logic serving an ACME challenge token would disable WAF features, since Cloudflare would be directly serving the response,” the company explained.

“This is done because those features can interfere with the CA’s ability to validate the token values and would cause failures with automated certificate orders and renewals. However, in the scenario that the token used was associated with a different zone and not directly managed by Cloudflare, the request would be allowed to proceed onto the customer origin without further processing by WAF rulesets.”

Kirill Firsov, founder and CEO of FearsOff, noted that a malicious actor could leverage the flaw to obtain a deterministic, long‑lived token and then use it to reach sensitive files on origin servers across Cloudflare-hosted properties, enabling systematic reconnaissance activity.

Cloudflare remediated the issue on October 27, 2025, by updating the code so that responses are served and WAF features are disabled only when the request corresponds to a valid ACME HTTP-01 challenge token for the specific hostname.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.