A vulnerability has been found in Cloudflare’s Web Application Firewall.

A critical flaw in Cloudflare’s Web Application Firewall (WAF) allowed attackers to bypass protections through requests to the ACME certificate‑validation path. The vulnerability let crafted requests reach origin servers directly, exposing sensitive environment files and configuration data. Researchers demonstrated attacks impacting platforms such as PHP, Tomcat, and Next.js. Cloudflare patched the flaw in October 2025 and stated no malicious exploitation has been detected.

Read more:

https://cybernews.com/security/cloudflare-waf-bug-lets-hackers-bypass-defenses/