The `host_header` action parameter available to rulesets in the [Origin Rules API](https://developers.cloudflare.com/rules/origin-rules/) lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security products such as Cloudflare Access and viewing the content of internal origin servers.
The issue was fixed by Cloudflare engineers and an Internal investigation proved that no Cloudflare customers were affected by exploitation of this vulnerability.
As a recommendation, we advise Cloudflare Access customers to always verify the [Authorization JWT token](https://developers.cloudflare.com/cloudflare-one/identity/users/validating-json#programmatic-verification) before processing requests from the Cloudflare edge which prevents similar attempts.Read More
References
Back to Main