Cloudflare patched an ACME HTTP-01 validation flaw that disabled WAF protections and let unauthorized requests reach origin servers.

The Tidyverse Blog offers insights, tutorials, and updates on the Tidyverse, a collection of R packages for data science and statistical computing. Covering topics such as data manipulation, visualization, and analysis, the blog provides resources for R developers looking to leverage the power of the Tidyverse for their data projects. Developers can learn how to use Tidyverse packages effectively to clean, transform, and analyze data in R.

The Hacker News

Cloudflare patched a vulnerability in its ACME HTTP-01 validation logic that allowed attackers to bypass Web Application Firewall (WAF) protections and reach origin servers. The flaw occurred when the system failed to verify if challenge tokens matched active challenges for specific hostnames, disabling WAF features for arbitrary requests to the ACME path. Discovered by FearsOff in October 2025, the vulnerability could have enabled reconnaissance attacks using long-lived tokens to access sensitive files across Cloudflare-protected hosts. Cloudflare fixed the issue by ensuring WAF features are only disabled for valid ACME challenges matching the requesting hostname.

Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers