frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Cloudflare zero-day: Accessing any host globally

https://fearsoff.org/research/cloudflare-acme
41•2bluesc•8h ago

Comments

nick-sta•1h ago
I’m not sure what the nextjs vulnerability is supposed to showcase - they’re putting secrets on their 404 page and relying on cloudflare to not show it?
cowsandmilk•1h ago
All their examples rely on having poorly configured origins. At least the PHP and Tomcat ones might be blocked by a WAF, but the Next.js one would rely on the WAF blocking responses that included secrets (which I’m not sure they do).
nightpool•1h ago
I think the idea for the NextJS example was that there might be some configuration variables that are not sensitive for internal / staff users, but would be problematic if exposed externally—basically, relying on Cloudflare's WAF as a "zero trust" endpoint solution, like Google IAP.

I'm not sure how realistic this is in practice. Does anyone actually configure Cloudflare WAF this way? (As opposed to, e.g., Cloudflare's dedicated zero-trust networking product, which I think works completely differently?)

nightpool•1h ago
Basically, it shows that Cloudflare's WAF (which is supposed to intercept requests before they make it to the origin server), is trivially bypassable by using the `.well-known/acme_challenge` path.

That means that any client that relies on this WAF to authenticate users (like with the NextJS example, where some information that would not be considered sensitive "internally" is exposed externally) or cover over security holes in their application (like with the Spring example, where the path traversal vulnerability in Spring is normally caught by Cloudflare before Spring can see it) would have this assumption violated

tracker1•1h ago
It's possible you're rendering more than just a simple 404, such as an SPA response or other result as part of an application response that may leak more information...

I think it's not a severe issue in most cases, and maybe something worth noting or addressing if you are at least aware of it, you can just 404 without content, for example in the .well-known/ path. I run most of my apps behind Caddy, which handles that path itself and doesn't forward requests to that path, so I'm curious how it handles it tbh.

I'm also not sure that there's a clear/good fix for this, since CF is allowing the traffic through so that ACME negotiation can work against the final application host.

jorams•1h ago
What a frustrating article. There was an interesting bug here. It's trivial to explain. It's not a zero-day, this was fixed months before disclosure. Most of the article is basically: "Imagine you were running software with horrific security holes behind this WAF. We even made some examples. It had a flaw. If your entire security posture depended on this WAF, imagine how much damage could have been done. Imagine if AI were involved!"
mannyv•59m ago
The point is that WAF didn't block everything, and that if your app had some kind of default/error handler that non-blockage would have unexpectedly exposed something.

Not that big of a deal, but interesting.

cube00•50m ago
> The CA fetches that token over plain HTTPS

The HTTP-01 challenge can only be done on port 80.

https://letsencrypt.org/docs/challenge-types/

amluto•26m ago
The one thing that I find bizarre about this: why did Cloudflare feel inspired to special-case /.well-known/acme-challenge at all? The only thing I can think of is that clients were having caching issues (Cloudflare caching the challenge value, clients forgetting to set cache-control headers, and challenges therefore failing), but that seems like a bit of a weak reason to special-case anything. Anyone using Cloudflare should already know how to set cache control headers.
jerrythegerbil•10m ago
There’s a lot going on in this blog. Interestingly, the core mechanism at play here is the http-01 challenge validations which they state is fetched by the CA over HTTPS. This is particularly amusing when you consider that http-01 is explicitly NOT HTTPS (it’s HTTP), and this is actually the entire reason there’s a different code path to take.

The modern web requires secure (HTTPS) context for many things to work, so it’s commonplace to do so “HTTPS enforcement”; all requests are forcibly upgraded to HTTPS. However, you can’t do that to the CA when it’s performing a http-01 challenge validation. This necessitates a “well known” URL route be used for challenges so that they can very deliberately take a different code path that doesn’t enforce HTTPS (and be routed differently).

This is true of basically every ACME client used for http-01 challenges, not just cloudflare. So while they’ve unfortunately missed the mark on correctly explaining the mechanism at play here, I hope that I succeeded in making it a bit more clear. Other implementations are, of course, similarly exploitable.

A 26,000-year astronomical monument hidden in plain sight (2019)

https://longnow.org/ideas/the-26000-year-astronomical-monument-hidden-in-plain-sight/
320•mkmk•6h ago•69 comments

California is free of drought for the first time in 25 years

https://www.latimes.com/california/story/2026-01-09/california-has-no-areas-of-dryness-first-time...
205•thnaks•2h ago•88 comments

Instabridge has acquired Nova Launcher

https://novalauncher.com/nova-is-here-to-stay
123•KORraN•5h ago•89 comments

Show HN: Mastra 1.0, open-source JavaScript agent framework from the Gatsby devs

https://github.com/mastra-ai/mastra
74•calcsam•8h ago•32 comments

The challenges of soft delete

https://atlas9.dev/blog/soft-delete.html
77•buchanae•3h ago•45 comments

Provably unmasking malicious behavior through execution traces

https://arxiv.org/abs/2512.13821
17•PaulHoule•2h ago•3 comments

Electricity use of AI coding agents

https://www.simonpcouch.com/blog/2026-01-20-cc-impact/
50•linolevan•7h ago•29 comments

The Unix Pipe Card Game

https://punkx.org/unix-pipe-game/
174•kykeonaut•8h ago•51 comments

Which AI Lies Best? A game theory classic designed by John Nash

https://so-long-sucker.vercel.app/
33•lout332•2h ago•22 comments

Are Arrays Functions?

https://futhark-lang.org/blog/2026-01-16-are-arrays-functions.html
13•todsacerdoti•1d ago•2 comments

Cloudflare zero-day: Accessing any host globally

https://fearsoff.org/research/cloudflare-acme
43•2bluesc•8h ago•10 comments

I'm addicted to being useful

https://www.seangoedecke.com/addicted-to-being-useful/
480•swah•14h ago•233 comments

Claude Chill: Fix Claude Code's Flickering in Terminal

https://github.com/davidbeesley/claude-chill
12•behnamoh•1h ago•1 comments

Building Robust Helm Charts

https://www.willmunn.xyz/devops/helm/kubernetes/2026/01/17/building-robust-helm-charts.html
15•will_munn•1d ago•0 comments

RCS for Business

https://developers.google.com/business-communications/rcs-business-messaging
27•sshh12•20h ago•30 comments

Running Claude Code dangerously (safely)

https://blog.emilburzo.com/2026/01/running-claude-code-dangerously-safely/
274•emilburzo•13h ago•227 comments

Our approach to age prediction

https://openai.com/index/our-approach-to-age-prediction/
55•pretext•5h ago•113 comments

The world of Japanese snack bars

https://www.bbc.com/travel/article/20260116-inside-the-secret-world-of-japanese-snack-bars
85•rmason•3h ago•55 comments

Unconventional PostgreSQL Optimizations

https://hakibenita.com/postgresql-unconventional-optimizations
260•haki•10h ago•40 comments

Maintenance: Of Everything, Part One

https://press.stripe.com/maintenance-part-one
58•mitchbob•6h ago•13 comments

Lunar Radio Telescope to Unlock Cosmic Mysteries

https://spectrum.ieee.org/lunar-radio-telescope
7•rbanffy•2h ago•0 comments

Show HN: macOS native DAW with Git branching model

https://www.scratchtrackaudio.com
4•hpen•57m ago•0 comments

Dockerhub for Skill.md

https://skillregistry.io/
16•tomaspiaggio12•9h ago•11 comments

Show HN: TopicRadar – Track trending topics across HN, GitHub, ArXiv, and more

https://apify.com/mick-johnson/topic-radar
14•MickolasJae•10h ago•3 comments

IPv6 is not insecure because it lacks a NAT

https://www.johnmaguire.me/blog/ipv6-is-not-insecure-because-it-lacks-nat/
36•johnmaguire•5h ago•24 comments

LG UltraFine Evo 6K 32-inch Monitor Review

https://www.wired.com/review/lg-ultrafine-evo-6k-32-inch-monitor/
55•tosh•3d ago•92 comments

Nvidia Stock Crash Prediction

https://entropicthoughts.com/nvidia-stock-crash-prediction
339•todsacerdoti•9h ago•288 comments

Fast Concordance: Instant concordance on a corpus of >1,200 books

https://iafisher.com/concordance/
29•evakhoury•4d ago•3 comments

Linux kernel framework for PCIe device emulation, in userspace

https://github.com/cakehonolulu/pciem
218•71bw•17h ago•76 comments

Channel3 (YC S25) Is Hiring

https://www.ycombinator.com/companies/channel3/jobs/3DIAYYY-backend-engineer
1•aschiff1•13h ago