Vulnerability disclosure on SSL for SaaS v1 (Managed CNAME)
2025-08-01
An upcoming vulnerability disclosure in Cloudflare’s SSL for SaaSv1 is detailed, explaining the steps we’ve taken towards deprecation....
Continue reading »
Resolving a Mutual TLS session resumption vulnerability
2025-02-07
Cloudflare patched a Mutual TLS (mTLS) vulnerability (CVE-2025-23419) reported via its Bug Bounty Program. The flaw in session resumption allowed client certificates to authenticate across different...
RADIUS/UDP vulnerable to improved MD5 collision attack
2024-07-09
The RADIUS protocol is commonly used to control administrative access to networking gear. Despite its importance, RADIUS hasn’t changed much in decades. We discuss an attack on RADIUS as a case study for why it’s important for legacy protocols to keep up with advancements in cryptography...
Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet
2024-06-26
CDNJSJavaScriptVulnerabilitiesApplication SecurityApplication ServicesSupply Chain AttacksAttacksBetter Internet
polyfill.io, a popular JavaScript library service, can no longer be trusted and should be removed from websites...
Disrupting FlyingYeti's campaign targeting Ukraine
2024-05-30
Cloud Email SecurityCloudflare WorkersCloudforce OneCVEExploitGitHubIntrusion DetectionMalwareMicrosoftPhishingRemote Browser IsolationRussiaServerlessThreat DataThreat IntelligenceThreat OperationsUkraineVulnerabilities
In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...
MORE POSTS
March 14, 2024 12:30 PM
Mitigating a token-length side-channel attack in our AI products
The Workers AI and AI Gateway team recently collaborated closely with security researchers at Ben Gurion University regarding a report submitted through our Public Bug Bounty program. Through this process, we discovered and fully patched a vulnerability affecting all LLM provider...
- By
March 06, 2024 2:00 PM
Eliminate VPN vulnerabilities with Cloudflare One
The Cybersecurity & Infrastructure Security Agency (CISA) recently issued an Emergency Directive due to the Ivanti Connect Secure and Policy Secure vulnerabilities. In this blog, we discuss the threat actor tactics exploiting these vulnerabilities...
- By
February 29, 2024 2:00 PM
Remediating new DNSSEC resource exhaustion vulnerabilities
Cloudflare recently fixed two critical DNSSEC vulnerabilities: CVE-2023-50387 and CVE-2023-50868. Both of these vulnerabilities can exhaust computational resources of validating DNS resolvers. These vulnerabilities do not affect our Authoritative DNS or DNS firewall products...
- By
January 23, 2024 2:00 PM
How Cloudflare’s AI WAF proactively detected the Ivanti Connect Secure critical zero-day vulnerability
The issuance of Emergency Rules by Cloudflare on January 17, 2024, helped give customers a big advantage in dealing with these threats...
- By
October 14, 2023 12:00 AM
Malicious “RedAlert - Rocket Alerts” application targets Israeli phone calls, SMS, and user information
On October 13, 2023, Cloudflare’s Cloudforce One Threat Operations Team became aware of a malicious Google Android application impersonating the real-time rocket alert app, Red Alert, which provides real-time rocket alerts for Israeli citizens...
- By
October 10, 2023 12:02 PM
HTTP/2 Rapid Reset: deconstructing the record-breaking attack
This post dives into the details of the HTTP/2 protocol, the feature that attackers exploited to generate the massive Rapid Reset attacks, and the mitigation strategies we took to ensure all our customers are protected...
- By
October 10, 2023 12:02 PM
HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks
The “HTTP/2 Rapid Reset” attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric DDoS attacks. Cloudflare has mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack we’ve observed...
- By
October 05, 2023 3:00 PM
Uncovering the Hidden WebP vulnerability: a tale of a CVE with much bigger implications than it originally seemed
Recently, Google announced a security issue in Google Chrome, titled "Heap buffer overflow in WebP in Google Chrome." Initially, it seemed like just another bug in the popular web browser. However, what we discovered was far more significant and had implications that extended wel...
- By
August 04, 2023 6:29 PM
Unmasking the top exploited vulnerabilities of 2022
The Cybersecurity and Infrastructure Security Agency (CISA) just released a report highlighting the most commonly exploited vulnerabilities of 2022. ...
- By
July 25, 2023 12:47 AM
How Cloudflare is staying ahead of the AMD vulnerability known as “Zenbleed”
The Google Information Security Team revealed a new flaw in AMD's Zen 2 processors in a blog post today. The 'Zenbleed' flaw affects the entire Zen 2 product stack, from AMD's EPYC data center processors to the Ryzen 3000 CPUs, and can be exploited to steal sensitive data process...
- By
July 10, 2023 1:00 PM
How Cloudflare Images addressed the aCropalypse vulnerability
Customers using Cloudflare Images or Image Resizing products are protected against the aCropalypse vulnerability. ...
- By
April 25, 2023 1:07 PM
SLP: a new DDoS amplification vector in the wild
Researchers have recently published the discovery of a new DDoS reflection/amplification attack vector leveraging the SLP protocol. Cloudflare expects the prevalence of SLP-based DDoS attacks to rise in the coming weeks...
- By
January 31, 2023 2:00 PM
CVE-2022-47929: traffic control noqueue no problem?
In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands....
- By
November 02, 2022 9:31 AM
Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786
Information on CVE-2022-3602 and CVE-2022-3786, and why Cloudflare was not impacted...
- By
June 05, 2022 8:54 PM
Cloudflare observations of Confluence zero day (CVE-2022-26134)
UTC Atlassian released a Security Advisory relating to a remote code execution (RCE) vulnerability affecting Confluence Server and Confluence Data Center products....
- By