Overview
- Cloudflare publicly described the vulnerability this week and credited FearsOff, which reported it on October 13, 2025 via the company’s bug bounty program.
- A logic flaw meant certain requests to /.well-known/acme-challenge/ could disable WAF checks and hit origin servers when the token was tied to a different zone.
- Cloudflare says it deployed a fix on October 27, 2025 to only relax security when a valid HTTP-01 token matches the hostname and Cloudflare can serve the challenge response.
- The company reports no evidence of malicious use and says customers do not need to take any action.
- FearsOff cautioned that such a path could enable reconnaissance and exposure of sensitive files or header-driven attacks on poorly configured origins as automated scanning increases.