嗯,用户让我用中文总结这篇文章,控制在一百个字以内,而且不需要特定的开头。我得先仔细读一下文章内容。 文章讲的是Cloudflare修复了一个ACME验证逻辑中的漏洞,这个漏洞可能导致攻击者绕过安全检查,直接访问受保护的源服务器。具体来说,问题出在Cloudflare边缘处理/.well-known/acme-challenge/路径请求的方式上。研究人员发现,当使用WAF阻止所有来源时,ACME路径却能绕过WAF,直接到达源服务器。这导致了一些安全风险,比如敏感环境变量泄露、SSRF攻击等。Cloudflare在2025年10月27日修复了这个问题。 我需要把这些关键点浓缩到100字以内。首先说明Cloudflare修复了漏洞,然后描述漏洞的影响:攻击者可能绕过WAF访问源服务器。接着提到问题根源在于ACME路径处理不当,最后说明修复时间。 这样组合起来应该符合用户的要求。 </think> Cloudflare修复了一个ACME验证逻辑漏洞,该漏洞可能导致攻击者绕过WAF保护直接访问源服务器。问题源于Cloudflare对/.well-known/acme-challenge/路径请求的处理不当。研究人员发现该路径可绕过WAF限制,导致敏感信息泄露和多种攻击风险。Cloudflare已于2025年10月27日修复此问题。 2026-1-21 15:10:10 Author: securityaffairs.com(查看原文) 阅读量:2 收藏
ACME flaw in Cloudflare allowed attackers to reach origin servers
Cloudflare fixed a flaw in its ACME validation logic that could let attackers bypass security checks and access protected origin servers.
Cloudflare fixed a flaw in its ACME HTTP-01 validation logic that could let attackers bypass security checks and reach origin servers. The issue stemmed from how Cloudflare’s edge handled requests to the /.well-known/acme-challenge/ path. The company says it found no signs of malicious exploitation.
ACME is a protocol that lets certificate authorities verify domain ownership. With HTTP-01, the CA checks a one-time token at a specific URL. If it matches, the certificate is issued. The process should allow access only to that exact path, and nothing else.
While testing applications behind Cloudflare with a WAF blocking all but specific sources, researchers noticed requests to /.well-known/acme-challenge/{token} bypassed the WAF, reaching the origin server directly.
Demo hosts confirmed the behavior: normal paths returned Cloudflare block pages, but ACME paths returned origin-generated responses (404s) without a real token. A stable, pending HTTP-01 token was created via a custom hostname to reliably test WAF behavior globally.
When Cloudflare’s WAF let /.well-known/acme-challenge/... bypass protections, the trust boundary shifted from WAF to origin. Demo apps showed the risk: Spring/Tomcat endpoints exposed sensitive env variables, Next.js SSR pages leaked operational details, and PHP routing exposed files via LFI bugs. Account-level WAF rules were ignored on this path, enabling header-based attacks (SSRF, SQLi, cache poisoning). Cloudflare fixed the issue on October 27, 2025, restoring consistent WAF enforcement.
“When WAF rules that police headers are skipped, entire classes of issues regain a route to the origin: header driven SQL concatenation in legacy code, SSRF and host confusion via X-Forwarded-Host or X-Original-URL, cache key poisoning when caches vary on headers, method override tricks with X-HTTP-Method-Override, and debug toggles wired to custom headers.” reads the report published by FearsOff. “The obvious question follows – how many apps still trust headers more than they should, and how many rely on the WAF to stand between that trust and the internet?”
WAF bypasses like this grow more dangerous as AI-driven attacks can quickly find and exploit exposed paths. AI can chain small flaws into large attacks, while defenders also use AI to simulate and block threats, making strong WAF protections increasingly vital.
“Vulnerabilities like this WAF bypass take on added urgency with evolving AI-driven attacks. Automated tools powered by machine learning can rapidly enumerate and exploit exposed paths like /.well-known/acme-challenge/, probing for framework-specific weaknesses or misconfigurations at scale.” concludes the report.
Cloudflare addressed the flaw on October 27, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WAF)
如有侵权请联系:admin#unsafe.sh