Cloudflare Public Bug Bounty: HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
Discription

The `host_header` action parameter available to rulesets in the [Origin Rules API](https://developers.cloudflare.com/rules/origin-rules/) lacked sufficient input validation i.e., allowing CRLF characters. Because of this, it was possible to inject arbitrary headers and, as a consequence, smuggle HTTP requests. This vulnerability enabled bypassing security products such as Cloudflare Access and viewing the content of internal origin servers.
The issue was fixed by Cloudflare engineers and an Internal investigation proved that no Cloudflare customers were affected by exploitation of this vulnerability.
As a recommendation, we advise Cloudflare Access customers to always verify the [Authorization JWT token](https://developers.cloudflare.com/cloudflare-one/identity/users/validating-json#programmatic-verification) before processing requests from the Cloudflare edge which prevents similar attempts.Read More

Back to Main

Subscribe for the latest news: