How we mitigated a vulnerability in Cloudflare’s ACME validation logic

Cloudflare disclosed and patched a WAF bypass vulnerability in their ACME HTTP-01 challenge validation logic, reported by FearsOff researchers in October 2025.

• •The vulnerability caused WAF features to be disabled for requests to /.well-known/acme-challenge/* paths under certain conditions
• •When a token matched a challenge associated with a different zone, the request bypassed WAF rulesets and passed to the customer origin unfiltered
• •The fix restricts WAF feature disabling only to cases where the request matches a valid ACME HTTP-01 token for the specific hostname being served
• •No customer action is required and no evidence of malicious exploitation was found
• •The issue was responsibly disclosed via Cloudflare's bug bounty program