You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**Update**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.
15
16
16
17
**We strongly recommend updating your version of Next.js (if eligible)** to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.
17
18
18
-
## Enable the Managed Rule (strongly recommended)
19
+
###Enable the Managed Rule (strongly recommended)
19
20
20
21
This rule is opt-in only for sites on the Pro plan or above in the [WAF managed ruleset](/waf/managed-rules/).
21
22
@@ -29,9 +30,11 @@ To enable the rule:
29
30
6. Click **Next**
30
31
7. Scroll down and choose **Save**
31
32
33
+
<Imagesrc={managedRuleNextJsAuth}alt="Enable the CVE-2025-29927 rule"width="1280"height="1039" />
34
+
32
35
This will enable the WAF rule and block requests with the `x-middleware-subrequest` header regardless of Next.js version.
33
36
34
-
## Create a WAF rule (manual)
37
+
###Create a WAF rule (manual)
35
38
36
39
For users on the Free plan, or who want to define a more specific rule, you can create a [Custom WAF rule](/waf/custom-rules/create-dashboard/) to block requests with the `x-middleware-subrequest` header regardless of Next.js version.
We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.
0 commit comments