HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function

The Edge Rules engine used by Cloudflare Transform Rules features string modifying functions like lower() and concat(), which accepted hexadecimal-encoded characters such as ”\x0a\x0d“. This allowed for manipulation of request headers (e.g. injecting an additional header) and, as a consequence, made HTTP smuggling attack (TE.CL) possible. This vulnerability enabled an attacker to bypass security products such as Cloudflare Access and view the content of internal origin servers. This bug in hexadecimal parsing was fixed by the relevant engineering team. We rewarded this finding as critical as well as a bonus for a high quality, detailed report. Internal investigation confirmed that no other CF customer was affected by this attack. As a recommendation, we advise Cloudflare Access customers to always verify the Authorization JWT token before processing requests from the Cloudflare edge.