📄 Cloudflare Memory Leak_PACKETSTORM:212604

Description

A Python-based scanner imitates CloudBleed-style leakage detection by fetching raw HTTP response data from a target website, converting it to hexadecimal, and searching for sensitive memory patterns such as sessions, passwords, tokens, cookies, AWS...

Visit Original Source

Basic Information

ID PACKETSTORM:212604

Published Dec 9, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Cloudflare Memory Leak Incident |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.cloudflare.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212490/ &

[+] Summary : A Python-based scanner imitates CloudBleed-style leakage detection by fetching raw HTTP response data from a target website, converting it to hexadecimal,
and searching for sensitive memory patterns such as sessions, passwords, tokens, cookies, AWS keys, and stack traces.
It does not exploit the server, but identifies potential leaks revealed in the response body.

[+] POC : python poc.py

#!/usr/bin/env python3
import re
import requests
import binascii

# ================================
# CONFIG
# ================================
TARGET_URL = "https://127.0.0.1/"
TIMEOUT = 10
MAX_HEX_DUMP = None # None = unlimited

# ================================
# SIGNATURES (Memory-leak patterns)
# ================================
PATTERNS = [
(b"session", "POTENTIAL_SESSION_LEAK"),
(b"cookie", "POTENTIAL_COOKIE_LEAK"),
(b"password", "POTENTIAL_PASSWORD_LEAK"),
(b"token", "POTENTIAL_TOKEN_LEAK"),
(b"bearer", "POTENTIAL_OAUTH_LEAK"),
(b"key=", "POTENTIAL_KEY_LEAK"),
(b"aws", "POTENTIAL_AWS_LEAK"),
(b"stacktrace", "POTENTIAL_STACKTRACE_LEAK"),
(b"malloc", "POTENTIAL_ALLOCATOR_LEAK"),
(b"free(", "POTENTIAL_FREE_MEMORY_REFERENCE"),
]

# ================================
# HTTP Fetch
# ================================
def fetch():
try:
r = requests.get(TARGET_URL, timeout=TIMEOUT)
return r.content
except:
return b""

# ================================
# Hex Dump Generator (CloudBleed Style)
# ================================
def hex_dump(data):
hexd = binascii.hexlify(data).decode()
return hexd if MAX_HEX_DUMP is None else hexd[:MAX_HEX_DUMP]

# ================================
# Scanner Core
# ================================
def scan_memory():
raw = fetch()
if not raw:
print("[!] Failed to fetch target")
return

print(f"[+] Memory Size Captured: {len(raw)} bytes")
print("=" * 80)

HEX = hex_dump(raw)
print("[*] Full HEX DUMP (No Truncation):\n")
print(HEX)
print("\n" + "=" * 80)

for signature, label in PATTERNS:
if signature.lower() in raw.lower():
print(f"[!] MATCH: {label}")
print(f" Pattern: {signature}")
print(" Extract:")
idx = raw.lower().find(signature.lower())
start = max(0, idx - 64)
end = min(len(raw), idx + 512)
leak_block = raw[start:end]
print(hex_dump(leak_block))
print("-" * 60)

if __name__ == "__main__":
scan_memory()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-09T17:45:03",
    "description": "A Python-based scanner imitates CloudBleed-style leakage detection by fetching raw HTTP response data from a target website, converting it to hexadecimal, and searching for sensitive memory patterns such as sessions, passwords, tokens, cookies, AWS...",
    "published": "2025-12-09T00:00:00",
    "modified": "2025-12-09T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Cloudflare Memory Leak",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212604",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Cloudflare Memory Leak Incident                                                                                             |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.cloudflare.com/                                                                                                 |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212490/ &\n    \n    [+] Summary : A Python-based scanner imitates CloudBleed-style leakage detection by fetching raw HTTP response data from a target website, converting it to hexadecimal, \n                 and searching for sensitive memory patterns such as sessions, passwords, tokens, cookies, AWS keys, and stack traces. \n    \t\t\t It does not exploit the server, but identifies potential leaks revealed in the response body.\n    \n    \n    [+]  POC :\tpython poc.py\n    \n    #!/usr/bin/env python3\n    import re\n    import requests\n    import binascii\n    \n    # ================================\n    #  CONFIG\n    # ================================\n    TARGET_URL = \"https://127.0.0.1/\"\n    TIMEOUT = 10\n    MAX_HEX_DUMP = None  # None = unlimited\n    \n    # ================================\n    #  SIGNATURES (Memory-leak patterns)\n    # ================================\n    PATTERNS = [\n        (b\"session\", \"POTENTIAL_SESSION_LEAK\"),\n        (b\"cookie\", \"POTENTIAL_COOKIE_LEAK\"),\n        (b\"password\", \"POTENTIAL_PASSWORD_LEAK\"),\n        (b\"token\", \"POTENTIAL_TOKEN_LEAK\"),\n        (b\"bearer\", \"POTENTIAL_OAUTH_LEAK\"),\n        (b\"key=\", \"POTENTIAL_KEY_LEAK\"),\n        (b\"aws\", \"POTENTIAL_AWS_LEAK\"),\n        (b\"stacktrace\", \"POTENTIAL_STACKTRACE_LEAK\"),\n        (b\"malloc\", \"POTENTIAL_ALLOCATOR_LEAK\"),\n        (b\"free(\", \"POTENTIAL_FREE_MEMORY_REFERENCE\"),\n    ]\n    \n    # ================================\n    #  HTTP Fetch\n    # ================================\n    def fetch():\n        try:\n            r = requests.get(TARGET_URL, timeout=TIMEOUT)\n            return r.content\n        except:\n            return b\"\"\n    \n    # ================================\n    #  Hex Dump Generator (CloudBleed Style)\n    # ================================\n    def hex_dump(data):\n        hexd = binascii.hexlify(data).decode()\n        return hexd if MAX_HEX_DUMP is None else hexd[:MAX_HEX_DUMP]\n    \n    # ================================\n    #  Scanner Core\n    # ================================\n    def scan_memory():\n        raw = fetch()\n        if not raw:\n            print(\"[!] Failed to fetch target\")\n            return\n    \n        print(f\"[+] Memory Size Captured: {len(raw)} bytes\")\n        print(\"=\" * 80)\n    \n        HEX = hex_dump(raw)\n        print(\"[*] Full HEX DUMP (No Truncation):\\n\")\n        print(HEX)\n        print(\"\\n\" + \"=\" * 80)\n    \n        for signature, label in PATTERNS:\n            if signature.lower() in raw.lower():\n                print(f\"[!] MATCH: {label}\")\n                print(f\"    Pattern: {signature}\")\n                print(\"    Extract:\")\n                idx = raw.lower().find(signature.lower())\n                start = max(0, idx - 64)\n                end = min(len(raw), idx + 512)\n                leak_block = raw[start:end]\n                print(hex_dump(leak_block))\n                print(\"-\" * 60)\n    \n    if __name__ == \"__main__\":\n        scan_memory()\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212604",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212604/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply