A critical WAF bypass chain has been discovered affecting Cloudflare's Web Application Firewall. The bypass involves using the Windows backslash character (\) within JSON data. This technique was confirmed on real-world targets including Luno and Chime, leading to serious data leaks such as Face ID and Personally Identifiable Information (PII). The researcher who found this bypass attempted to report it through HackerOne but found their account restricted, so they sent a proof of concept (PoC) directly to Cloudflare's legal team and requested to open direct communications via DMs. This bypass technique is especially critical as it can evade WAF protections that improperly handle or normalize JSON input with Windows-specific escape characters, potentially allowing attackers to execute unauthorized actions or extract sensitive data. Cloudflare users and security teams should be aware and verify if their configurations are impacted. Further investigation and patching are likely needed to mitigate this issue and protect data integrity and privacy.
For more details, check out the original tweet here: https://twitter.com/isujin933380/status/2033245786058932251