From 5329b8a46ff2871d0bb863ccfd010bdb815cf675 Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Sat, 22 Mar 2025 07:52:40 -0400 Subject: [PATCH 1/5] initial CL --- .../2025-03-22-next-js-vulnerability-waf.mdx | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx diff --git a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx new file mode 100644 index 000000000000000..da5b97572910fa3 --- /dev/null +++ b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx @@ -0,0 +1,14 @@ +--- +title: Managed WAF rule for Next.js vulnerability +description: Automatic deployment of a Web Application Firewall rule to block requests that attempt to bypass authentication in Next.js applications as part of CVE-2025-29927. +products: + - workers + - pages + - waf + - rules +date: 2025-03-22T13:00:00Z +--- + +We've deployed a WAF (Web Application Firewall) rule to all sites to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. + +TODO From c6cd72da3aef01b77e09696824ab47d6b145628a Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Sat, 22 Mar 2025 08:03:33 -0400 Subject: [PATCH 2/5] update --- .../workers/2025-03-22-next-js-vulnerability-waf.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx index da5b97572910fa3..93ac6d2a3466e41 100644 --- a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx +++ b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx @@ -11,4 +11,8 @@ date: 2025-03-22T13:00:00Z We've deployed a WAF (Web Application Firewall) rule to all sites to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. -TODO +This rule is automatically deployed to all sitesas part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. + +The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**. + +The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation. From 3fd3726566783f701721b6d076e8669787a24d73 Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Sat, 22 Mar 2025 08:07:31 -0400 Subject: [PATCH 3/5] clearer --- .../workers/2025-03-22-next-js-vulnerability-waf.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx index 93ac6d2a3466e41..8eefe177b187fad 100644 --- a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx +++ b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx @@ -1,5 +1,5 @@ --- -title: Managed WAF rule for Next.js vulnerability +title: New Managed WAF rule for Next.js CVE-2025-29927. description: Automatic deployment of a Web Application Firewall rule to block requests that attempt to bypass authentication in Next.js applications as part of CVE-2025-29927. products: - workers @@ -9,9 +9,9 @@ products: date: 2025-03-22T13:00:00Z --- -We've deployed a WAF (Web Application Firewall) rule to all sites to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. +We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. This includes sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere. -This rule is automatically deployed to all sitesas part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. +This rule has been automatically deployed to all sitesas part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**. From fc9fb5eca839966e52432838476a97e9e6d27bdb Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Sat, 22 Mar 2025 08:21:14 -0400 Subject: [PATCH 4/5] formatting --- .../workers/2025-03-22-next-js-vulnerability-waf.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx index 8eefe177b187fad..66790627a1cf8ed 100644 --- a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx +++ b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx @@ -9,10 +9,10 @@ products: date: 2025-03-22T13:00:00Z --- -We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. This includes sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere. +We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. -This rule has been automatically deployed to all sitesas part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. - -The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**. +* This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere. +* This rule has been automatically deployed to all sitesas part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. +* The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**. The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation. From 9e5a5214f82928c2a84f1e71f08ed414dd20d8b2 Mon Sep 17 00:00:00 2001 From: Matt Silverlock Date: Sat, 22 Mar 2025 11:18:04 -0400 Subject: [PATCH 5/5] bypass instructions --- .../workers/2025-03-22-next-js-vulnerability-waf.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx index 66790627a1cf8ed..30385c3f9f095c1 100644 --- a/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx +++ b/src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx @@ -12,7 +12,9 @@ date: 2025-03-22T13:00:00Z We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. * This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere. -* This rule has been automatically deployed to all sitesas part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. +* This rule has been automatically deployed to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. * The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**. The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation. + +Note that you can choose to disable this rule by configuring a [managed ruleset exception](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/create-exception/) for ruleId `34583778093748cc83ff7b38f472013e`.