Cloudflare WAF Bypass Flaw Exposed Origins via ACME Path, Patch Deployed
Researchers disclosed a critical flaw in Cloudflare’s edge processing that allowed requests to the ACME HTTP-01 validation path (/.well-known/acme-challenge/) to bypass WAF rules and reach origin servers, potentially exposing data across common frameworks (e.g., Spring/Tomcat, Next.js, PHP). Cloudflare issued a fix on Oct 27, 2025 ensuring ACME traffic is evaluated by WAF rules again; no customer action is required and there’s no evidence of exploitation in the wild.