Cloudflare said in a blog post it fixed on October 27, 2025 an ACME HTTP-01 validation vulnerability that could disable web application firewall rules and allow requests to reach origin servers and that it found no evidence the bug was exploited.
KEY FACTS
- Incident ACME HTTP-01 validation logic flaw
- Path /.well-known/acme-challenge/*
- Fix date October 27, 2025
- Researcher FearsOff technical write-up
The vulnerability stemmed from how the edge network processed requests to the ACME HTTP-01 challenge path. Matching a token in the path could cause WAF features to be disabled and the request to be forwarded to the origin when it should have been blocked.
Under standard ACME operation the certificate authority requests the validation token at https://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> over HTTP port 80. When an order is managed by Cloudflare the platform serves the token directly and other requests are routed to the customer origin.
The technical write-up links the flaw to logic that did not verify whether a token matched an active challenge for the specific hostname. That allowed arbitrary requests to the ACME path to bypass protections and reach origin files.
A code change was deployed to serve the response and disable WAF features only when the request matches a valid ACME HTTP-01 challenge token for that hostname. The change was applied on October 27, 2025.
WHY IT MATTERS
The flaw could let attackers bypass perimeter filtering and access origin content for reconnaissance. Operators using Cloudflare should confirm the patch and review origin access controls.