changelog: update next.js changelog again (#21111)

elithrar · web-flow · commit 547e9a379071 · 2025-03-24T20:05:07.000-04:00
* changelog: update next.js changelog again

* changelog: update versions throughout cl
diff --git a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx
@@ -12,6 +12,8 @@ date: 2025-03-22T13:00:00Z
 import { Image } from 'astro:assets';
 import managedRuleNextJsAuth from "~/assets/images/changelog/workers/high-res-CVE-2025-29927.gif"
 
+**Update: Mon Mar 24th, 11PM UTC**: Next.js has made further changes to address a smaller vulnerability introduced in the patches made to its middleware handling. Users should upgrade to Next.js versions `15.2.4`, `14.2.26`, `13.5.10` or `12.3.6`. **If you are unable to immediately upgrade or are running an older version of Next.js, you can enable the WAF rule described in this changelog as a mitigation**.
+
 **Update: Mon Mar 24th, 8PM UTC**: Next.js has now [backported the patch for this vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) to cover Next.js v12 and v13. Users on those versions will need to patch to `13.5.9` and `12.3.5` (respectively) to mitigate the vulnerability.
 
 **Update: Sat Mar 22nd, 4PM UTC**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.
@@ -63,7 +65,7 @@ We've made a WAF (Web Application Firewall) rule available to all sites on Cloud
 
 * This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere.
 * This rule has been made available (but not enabled by default) to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications.
-* The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15.2.3`.
-* **Users on older versions of Next.js (`11.1.4` to `13.5.6`) did not originally have a patch available**, but this the patch for this vulnerability has been backported and to Next.js `12.3.5` and `13.5.9` as of Monday, March 24th. Users on Next.js v11 will need to deploy the stated workaround or enable the WAF rule.
+* The vulnerability affects almost all Next.js versions, and has been fully patched in Next.js `14.2.26` and `15.2.4`. Earlier, interim releases did not fully patch this vulnerability.
+* **Users on older versions of Next.js (`11.1.4` to `13.5.6`) did not originally have a patch available**, but this the patch for this vulnerability and a subsequent additional patch have been backported to Next.js versions `12.3.6` and `13.5.10` as of Monday, March 24th. Users on Next.js v11 will need to deploy the stated workaround or enable the WAF rule.
 
 The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.
