cloudflare · elithrar · Mar 22, 2025 · Mar 22, 2025 · Mar 22, 2025 · Mar 22, 2025
@@ -9,12 +9,55 @@ products:
 date: 2025-03-22T13:00:00Z
 ---
 
-We've deployed a WAF (Web Application Firewall) rule to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.
+import { Image } from 'astro:assets';
+
+**Update**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.
+
+**We strongly recommend updating your version of Next.js (if eligible)** to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.
+
+## Enable the Managed Rule (strongly recommended)
+
+This rule is opt-in only for sites on the Pro plan or above in the [WAF managed ruleset](/waf/managed-rules/).
+
+To enable the rule:
+
+1. Head to Security > WAF > Managed rules in the Cloudflare dashboard for the zone (website) you want to protect.
+2. Click the three dots next to **Cloudflare Managed Ruleset** and choose **Edit**
+3. Scroll down and choose **Browse Rules**
+4. Search for **CVE-2025-29927** (ruleId: `34583778093748cc83ff7b38f472013e`)
+5. Change the **Status** to **Enabled** and the **Action** to **Block**. You can optionally set the rule to Log, to validate potential impact before enabling it. Log will not block requests.
+6. Click **Next**
+7. Scroll down and choose **Save**
+
+This will enable the WAF rule and block requests with the `x-middleware-subrequest` header regardless of Next.js version.
+
+## Create a WAF rule (manual)
+
+For users on the Free plan, or who want to define a more specific rule, you can create a [Custom WAF rule](/waf/custom-rules/create-dashboard/) to block requests with the `x-middleware-subrequest` header regardless of Next.js version.
+
+To create a custom rule:
+
+1. Head to Security > WAF > Custom rules in the Cloudflare dashboard for the zone (website) you want to protect.
+2. Give the rule a name - e.g. `next-js-CVE-2025-29927`
+3. Set the matching parameters for the rule match any request where the `x-middleware-subrequest` header `exists` per the rule expression below.
+
+```sh
+(len(http.request.headers["x-middleware-subrequest"]) > 0)
+```
+
+4. Set the action to 'block'. If you want to observe the impact before blocking requests, set the action to 'log' (and edit the rule later).
+5. **Deploy** the rule.
+
+![Next.js CVE-2025-29927 WAF rule](src/assets/images/changelog/workers/waf-rule-cve-2025-29927.png)
+
+## Next.js CVE-2025-29927
+
+We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.
+
+**Note**: This rule is not enabled by default as it blocked requests across sites for specific authentication middleware.
 
 * This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere.
-* This rule has been automatically deployed to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications.
+* This rule has been made avaiable (but not enabled by default) to all sites as part of our [WAF Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications.
 * The vulnerability affects almost all Next.js versions, and is patched in Next.js `14.2.25` and `15..2.3`. **Users on older versions of Next.js (`11.1.4` to `13.5.6`) do not have a patch available**.
 
 The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.
-
-Note that you can choose to disable this rule by configuring a [managed ruleset exception](https://developers.cloudflare.com/ruleset-engine/managed-rulesets/create-exception/) for ruleId `34583778093748cc83ff7b38f472013e`.