How we mitigated a vulnerability in Cloudflare's ACME validation logic

On October 13, 2025, security researchers from FearsOff identified a vulnerability in Cloudflare's ACME validation logic, which affected some Web Application Firewall (WAF) features on specific ACME-related paths. This vulnerability, reported through Cloudflare's bug bounty program, involved the processing of requests for the ACME HTTP-01 challenge, potentially allowing requests to proceed to the customer origin without proper WAF processing. Cloudflare promptly patched the vulnerability and confirmed no malicious exploitation had occurred, ensuring customers needed no further action. The ACME protocol automates SSL/TLS certificate management by validating domain ownership through a challenge-response process, which Cloudflare manages by disabling certain security features when serving valid tokens to avoid interference with certificate authority validations. In response to the vulnerability, Cloudflare implemented a code change to ensure that security features are only disabled when requests match a valid ACME HTTP-01 challenge token for a hostname. Cloudflare expressed gratitude for the responsible disclosure by researchers and emphasized its commitment to security and transparency, encouraging ongoing community participation in vulnerability reporting to enhance platform security.