Skip to content

Changelog image add #21064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 22, 2025
+14 −3
Merged

Changelog image add #21064

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d01df47
fix
elithrar Mar 22, 2025
6908b90
Don't limit input image pixels
GregBrimble Mar 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions astro.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,14 @@ export default defineConfig({
rehypeTitleFigure,
],
},
image: {
service: {
entrypoint: "astro/assets/services/sharp",
config: {
limitInputPixels: false,
},
},
},
experimental: {
contentIntellisense: true,
},
Expand Down
9 changes: 6 additions & 3 deletions src/content/changelog/workers/2025-03-22-next-js-vulnerability-waf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,13 @@ date: 2025-03-22T13:00:00Z
---

import { Image } from 'astro:assets';
import managedRuleNextJsAuth from "~/assets/images/changelog/workers/high-res-CVE-2025-29927.gif"

**Update**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.

**We strongly recommend updating your version of Next.js (if eligible)** to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.

## Enable the Managed Rule (strongly recommended)
### Enable the Managed Rule (strongly recommended)

This rule is opt-in only for sites on the Pro plan or above in the [WAF managed ruleset](/waf/managed-rules/).

Expand All @@ -29,9 +30,11 @@ To enable the rule:
6. Click **Next**
7. Scroll down and choose **Save**

<Image src={managedRuleNextJsAuth} alt="Enable the CVE-2025-29927 rule" width="1280" height="1039" />

This will enable the WAF rule and block requests with the `x-middleware-subrequest` header regardless of Next.js version.

## Create a WAF rule (manual)
### Create a WAF rule (manual)

For users on the Free plan, or who want to define a more specific rule, you can create a [Custom WAF rule](/waf/custom-rules/create-dashboard/) to block requests with the `x-middleware-subrequest` header regardless of Next.js version.

Expand All @@ -50,7 +53,7 @@ To create a custom rule:

![Next.js CVE-2025-29927 WAF rule](src/assets/images/changelog/workers/waf-rule-cve-2025-29927.png)

## Next.js CVE-2025-29927
### Next.js CVE-2025-29927

We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025.

Expand Down
Loading