You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx
+47-4Lines changed: 47 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,12 +9,55 @@ products:
9
9
date: 2025-03-22T13:00:00Z
10
10
---
11
11
12
-
We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.
12
+
import { Image } from'astro:assets';
13
+
14
+
**Update**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.
15
+
16
+
**We strongly recommend updating your version of Next.js (if eligible)** to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.
17
+
18
+
## Enable the Managed Rule (strongly recommended)
19
+
20
+
This rule is opt-in only for sites on the Pro plan or above in the [WAF managed ruleset](/waf/managed-rules/).
21
+
22
+
To enable the rule:
23
+
24
+
1. Head to Security > WAF > Managed rules in the Cloudflare dashboard for the zone (website) you want to protect.
25
+
2. Click the three dots next to **Cloudflare Managed Ruleset** and choose **Edit**
26
+
3. Scroll down and choose **Browse Rules**
27
+
4. Search for **CVE-2025-29927** (ruleId: `34583778093748cc83ff7b38f472013e`)
28
+
5. Change the **Status** to **Enabled** and the **Action** to **Block**. You can optionally set the rule to Log, to validate potential impact before enabling it. Log will not block requests.
29
+
6. Click **Next**
30
+
7. Scroll down and choose **Save**
31
+
32
+
This will enable the WAF rule and block requests with the `x-middleware-subrequest` header regardless of Next.js version.
33
+
34
+
## Create a WAF rule (manual)
35
+
36
+
For users on the Free plan, or who want to define a more specific rule, you can create a [Custom WAF rule](/waf/custom-rules/create-dashboard/) to block requests with the `x-middleware-subrequest` header regardless of Next.js version.
37
+
38
+
To create a custom rule:
39
+
40
+
1. Head to Security > WAF > Custom rules in the Cloudflare dashboard for the zone (website) you want to protect.
41
+
2. Give the rule a name - e.g. `next-js-CVE-2025-29927`
42
+
3. Set the matching parameters for the rule match any request where the `x-middleware-subrequest` header `exists` per the rule expression below.
We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.
56
+
57
+
**Note**: This rule is not enabled by default as it blocked requests across sites for specific authentication middleware.
13
58
14
59
* This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere.
15
-
* This rule has been automatically deployed to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications.
60
+
* This rule has been made avaiable (but not enabled by default) to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications.
16
61
* The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**.
17
62
18
63
The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.
19
-
20
-
Note that you can choose to disable this rule by configuring a [managed ruleset exception](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/create-exception/) for ruleId `34583778093748cc83ff7b38f472013e`.
0 commit comments