Bypass of Cloudflare's Cache Keys and WAF via header overflow

Bug reported by David was disclosed at November 18, 2025, 8:08 am   |   Improper Access Control - Generic

A limitation in the HTTP request header parsing in Front Line (FL) processing enabled attackers to bypass defined rulesets. The maximum amount of headers being parsed by openresty was 100 HTTP headers including internal ones. This problem applied to any ruleset on HTTP headers. Attackers were able to bypass WAF rules and perform cache forcing/poisoning. A global rule was implemented to block when too many headers were provided, which was recommended to be enabled. The length problem of parsed HTTP headers was mitigated with the rollout of the new Front Line implementation.