changelog: WAF + Next.js CVE-2025-29927 (#21058)

* initial CL

* update

* clearer

* formatting

* bypass instructions

Author: elithrar

src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx

@@ -0,0 +1,20 @@
+---
+title: New Managed WAF rule for Next.js CVE-2025-29927.
+description: Automatic deployment of a Web Application Firewall rule to block requests that attempt to bypass authentication in Next.js applications as part of CVE-2025-29927.
+products:
+  - workers
+  - pages
+  - waf
+  - rules
+date: 2025-03-22T13:00:00Z
+---
+
+We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.
+
+* This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere.
+* This rule has been automatically deployed to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications.
+* The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**.
+
+The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.
+
+Note that you can choose to disable this rule by configuring a [managed ruleset exception](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/create-exception/) for ruleId `34583778093748cc83ff7b38f472013e`.