fix

Author: elithrar

src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx

@@ -10,12 +10,13 @@ date: 2025-03-22T13:00:00Z
 ---
 
 import { Image } from 'astro:assets';
+import managedRuleNextJsAuth from "~/assets/images/changelog/workers/high-res-CVE-2025-29927.gif"
 
 **Update**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.
 
 **We strongly recommend updating your version of Next.js (if eligible)** to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.
 
-## Enable the Managed Rule (strongly recommended)
+### Enable the Managed Rule (strongly recommended)
 
 This rule is opt-in only for sites on the Pro plan or above in the [WAF managed ruleset](/waf/managed-rules/).
 
@@ -29,9 +30,11 @@ To enable the rule:
 6. Click **Next**
 7. Scroll down and choose **Save**
 
+<Image src={managedRuleNextJsAuth} alt="Enable the CVE-2025-29927 rule" width="1280" height="1039" />
+
 This will enable the WAF rule and block requests with the `x-middleware-subrequest` header regardless of Next.js version.
 
-## Create a WAF rule (manual)
+### Create a WAF rule (manual)
 
 For users on the Free plan, or who want to define a more specific rule, you can create a [Custom WAF rule](/waf/custom-rules/create-dashboard/) to block requests with the `x-middleware-subrequest` header regardless of Next.js version.
 
@@ -50,7 +53,7 @@ To create a custom rule:
 
 ![Next.js CVE-2025-29927 WAF rule](src/assets/images/changelog/workers/waf-rule-cve-2025-29927.png)
 
-## Next.js CVE-2025-29927
+### Next.js CVE-2025-29927
 
 We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.