--- title: Changelog description: Update: Mon Mar 24th, 11PM UTC: Next.js has made further changes to address a smaller vulnerability introduced in the patches made to its middleware handling. Users should upgrade to Next.js versions 15.2.4, 14.2.26, 13.5.10 or 12.3.6. If you are unable to immediately upgrade or are running an older version of Next.js, you can enable the WAF rule described in this changelog as a mitigation. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/waf/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/waf.xml) ## 2025-04-14 **WAF Release - 2025-04-14** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ---------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...d6b2d36c | 100739A | Next.js - Auth Bypass - CVE:CVE-2025-29927 - 2 | Log | Disabled | This is a New Detection | ## 2025-04-02 **WAF Release - 2025-04-02** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | --------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...622f0483 | 100732 | Sitecore - Code Injection - CVE:CVE-2025-27218 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...0f101cca | 100733 | Angular-Base64-Upload - Remote Code Execution - CVE:CVE-2024-42640 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...1bbcd247 | 100734 | Apache Camel - Remote Code Execution - CVE:CVE-2025-29891 | Log | Disabled | This is a New Detection | | Cloudflare Managed Ruleset | ...90aea1ca | 100735 | Progress Software WhatsUp Gold - Remote Code Execution - CVE:CVE-2024-4885 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...d9d8c5f2 | 100737 | Apache Tomcat - Remote Code Execution - CVE:CVE-2025-24813 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...a28a42c4 | 100659 | Common Payloads for Server-side Template Injection | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...daa4b037 | 100659 | Common Payloads for Server-side Template Injection - Base64 | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...48f6a9cf | 100642 | LDAP Injection | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...e0713e9f | 100642 | LDAP Injection Base64 | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...1bc977d1 | 100005 | DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474 | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...bb70a463 | 100527 | Apache Struts - CVE:CVE-2021-31805 | N/A | Block | N/A | | Cloudflare Managed Ruleset | ...0c99546a | 100702 | Command Injection - CVE:CVE-2022-24108 | N/A | Block | N/A | | Cloudflare Managed Ruleset | ...9a5581d0 | 100622C | Ivanti - Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887, CVE:CVE-2024-22024 | N/A | Block | N/A | | Cloudflare Managed Ruleset | ...06d0b009 | 100536C | GraphQL Command Injection | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...1651d0c8 | 100536 | GraphQL Injection | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...af00f61d | 100536A | GraphQL Introspection | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...a41e5b67 | 100536B | GraphQL SSRF | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...433e5b3d | 100559A | Prototype Pollution - Common Payloads | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...4816b26f | 100559A | Prototype Pollution - Common Payloads - Base64 | N/A | Disabled | N/A | | Cloudflare Managed Ruleset | ...fcea5ed2 | 100734 | Apache Camel - Remote Code Execution - CVE:CVE-2025-29891 | N/A | Disabled | N/A | ## 2025-03-22 **WAF Release - 2025-03-22 - Emergency** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ------------------------------------------ | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...f472013e | 100739 | Next.js - Auth Bypass - CVE:CVE-2025-29927 | N/A | Disabled | This is a New Detection | ## 2025-03-22 **New Managed WAF rule for Next.js CVE-2025-29927.** **Update: Mon Mar 24th, 11PM UTC**: Next.js has made further changes to address a smaller vulnerability introduced in the patches made to its middleware handling. Users should upgrade to Next.js versions `15.2.4`, `14.2.26`, `13.5.10` or `12.3.6`. **If you are unable to immediately upgrade or are running an older version of Next.js, you can enable the WAF rule described in this changelog as a mitigation**. **Update: Mon Mar 24th, 8PM UTC**: Next.js has now [backported the patch for this vulnerability ↗](https://github.com/advisories/GHSA-f82v-jwr5-mffw) to cover Next.js v12 and v13\. Users on those versions will need to patch to `13.5.9` and `12.3.5` (respectively) to mitigate the vulnerability. **Update: Sat Mar 22nd, 4PM UTC**: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests. **We strongly recommend updating your version of Next.js (if eligible)** to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider. #### Enable the Managed Rule (strongly recommended) This rule is opt-in only for sites on the Pro plan or above in the [WAF managed ruleset](https://developers.cloudflare.com/waf/managed-rules/). To enable the rule: 1. Head to Security > WAF > Managed rules in the Cloudflare dashboard for the zone (website) you want to protect. 2. Click the three dots next to **Cloudflare Managed Ruleset** and choose **Edit** 3. Scroll down and choose **Browse Rules** 4. Search for **CVE-2025-29927** (ruleId: `34583778093748cc83ff7b38f472013e`) 5. Change the **Status** to **Enabled** and the **Action** to **Block**. You can optionally set the rule to Log, to validate potential impact before enabling it. Log will not block requests. 6. Click **Next** 7. Scroll down and choose **Save** This will enable the WAF rule and block requests with the `x-middleware-subrequest` header regardless of Next.js version. #### Create a WAF rule (manual) For users on the Free plan, or who want to define a more specific rule, you can create a [Custom WAF rule](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/) to block requests with the `x-middleware-subrequest` header regardless of Next.js version. To create a custom rule: 1. Head to Security > WAF > Custom rules in the Cloudflare dashboard for the zone (website) you want to protect. 2. Give the rule a name - e.g. `next-js-CVE-2025-29927` 3. Set the matching parameters for the rule match any request where the `x-middleware-subrequest` header `exists` per the rule expression below. Terminal window ``` (len(http.request.headers["x-middleware-subrequest"]) > 0) ``` 1. Set the action to 'block'. If you want to observe the impact before blocking requests, set the action to 'log' (and edit the rule later). 2. **Deploy** the rule. ![Next.js CVE-2025-29927 WAF rule](https://developers.cloudflare.com/_astro/waf-rule-cve-2025-29927.0i0XiweZ_Z8mlyw.webp) #### Next.js CVE-2025-29927 We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the [Next.js authentication bypass vulnerability ↗](https://github.com/advisories/GHSA-f82v-jwr5-mffw) (`CVE-2025-29927`) published on March 21st, 2025. **Note**: This rule is not enabled by default as it blocked requests across sites for specific authentication middleware. * This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere. * This rule has been made available (but not enabled by default) to all sites as part of our [WAF Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) and blocks requests that attempt to bypass authentication in Next.js applications. * The vulnerability affects almost all Next.js versions, and has been fully patched in Next.js `14.2.26` and `15.2.4`. Earlier, interim releases did not fully patch this vulnerability. * **Users on older versions of Next.js (`11.1.4` to `13.5.6`) did not originally have a patch available**, but this the patch for this vulnerability and a subsequent additional patch have been backported to Next.js versions `12.3.6` and `13.5.10` as of Monday, March 24th. Users on Next.js v11 will need to deploy the stated workaround or enable the WAF rule. The managed WAF rule mitigates this by blocking _external_ user requests with the `x-middleware-subrequest` header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation. ## 2025-03-19 **WAF Release - 2025-03-19 - Emergency** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ------------------------------ | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...a2cafae7 | 100736 | Generic HTTP Request Smuggling | N/A | Disabled | This is a New Detection | ## 2025-03-17 **WAF Release - 2025-03-17** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | -------------------------------------------------------------------------------------- | --------------- | ---------- | ------------------------------------------------- | | Cloudflare Managed Ruleset | ...e59ec18a | 100725 | Fortinet FortiManager - Remote Code Execution - CVE:CVE-2023-42791, CVE:CVE-2024-23666 | Log | Block | | | Cloudflare Managed Ruleset | ...1dbf58df | 100726 | Ivanti - Remote Code Execution - CVE:CVE-2024-8190 | Log | Block | | | Cloudflare Managed Ruleset | ...0ad61fa7 | 100727 | Cisco IOS XE - Remote Code Execution - CVE:CVE-2023-20198 | Log | Disabled | Fixed action value in changelog; no rule changes. | | Cloudflare Managed Ruleset | ...7ee56b66 | 100728 | Sitecore - Remote Code Execution - CVE:CVE-2024-46938 | Log | Block | | | Cloudflare Managed Ruleset | ...a6752a38 | 100729 | Microsoft SharePoint - Remote Code Execution - CVE:CVE-2023-33160 | Log | Block | | | Cloudflare Managed Ruleset | ...98d47b69 | 100730 | Pentaho - Template Injection - CVE:CVE-2022-43769, CVE:CVE-2022-43939 | Log | Block | | | Cloudflare Managed Ruleset | ...69fe1e0d | 100700 | Apache SSRF vulnerability CVE-2021-40438 | N/A | Block | | ## 2025-03-11 **WAF Release - 2025-03-11 - Emergency** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | -------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...73febb31 | 100731 | Apache Camel - Code Injection - CVE:CVE-2025-27636 | N/A | Block | This is a New Detection | ## 2025-03-10 **WAF Release - 2025-03-10** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ---------------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...b2a51e3d | 100722 | Ivanti - Information Disclosure - CVE:CVE-2025-0282 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...259073d5 | 100723 | Cisco IOS XE - Information Disclosure - CVE:CVE-2023-20198 | Log | Block | This is a New Detection | ## 2025-03-07 **Updated leaked credentials database** Added new records to the leaked credentials database. The record sources are: Have I Been Pwned (HIBP) database, RockYou 2024 dataset, and another third-party database. ## 2025-03-03 **WAF Release - 2025-03-03** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ------------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...93e63099 | 100721 | Ivanti - Remote Code Execution - CVE:CVE-2024-13159, CVE:CVE-2024-13160, CVE:CVE-2024-13161 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...cac42ce2 | 100596 | Citrix Content Collaboration ShareFile - Remote Code Execution - CVE:CVE-2023-24489 | N/A | Block | | ## 2025-02-24 **WAF Release - 2025-02-24** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ----------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...4916911e | 100718A | SonicWall SSLVPN 2 - Auth Bypass - CVE:CVE-2024-53704 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...c382fdec | 100720 | Palo Alto Networks - Auth Bypass - CVE:CVE-2025-0108 | Log | Block | This is a New Detection | ## 2025-02-18 **WAF Release - 2025-02-18** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | --------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...a2ffa4b8 | 100715 | FortiOS - Auth Bypass - CVE:CVE-2024-55591 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...5a883e12 | 100716 | Ivanti - Auth Bypass - CVE:CVE-2021-44529 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...958094d3 | 100717 | SimpleHelp - Auth Bypass - CVE:CVE-2024-57727 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...3b66df22 | 100718 | SonicWall SSLVPN - Auth Bypass - CVE:CVE-2024-53704 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...9184699f | 100719 | Yeti Platform - Auth Bypass - CVE:CVE-2024-46507 | Log | Block | This is a New Detection | ## 2025-02-11 **WAF Release - 2025-02-11** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- | | Cloudflare Managed Ruleset | ...483b4c26 | 100708 | Aviatrix Network - Remote Code Execution - CVE:CVE-2024-50603 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...7e924ca3 | 100709 | Next.js - Remote Code Execution - CVE:CVE-2024-46982 | Log | Disabled | This is a New Detection | | Cloudflare Managed Ruleset | ...83a7d8ff | 100710 | Progress Software WhatsUp Gold - Directory Traversal - CVE:CVE-2024-12105 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...baa8eb34 | 100711 | WordPress - Remote Code Execution - CVE:CVE-2024-56064 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...87f5d34e | 100712 | WordPress - Remote Code Execution - CVE:CVE-2024-9047 | Log | Block | This is a New Detection | | Cloudflare Managed Ruleset | ...bf72cf8a | 100713 | FortiOS - Auth Bypass - CVE:CVE-2022-40684 | Log | Block | This is a New Detection | ## 2025-02-04 **Updated leaked credentials database** Added new records to the leaked credentials database from a third-party database. ## 2025-01-21 **WAF Release - 2025-01-21** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ---------------------------- | --------------- | ---------- | -------------------------------- | | Cloudflare Managed Ruleset | ...b090ba9a | 100303 | Command Injection - Nslookup | Log | Block | This was released as ...b8d152f4 | | Cloudflare Managed Ruleset | ...49e6b538 | 100534 | Web Shell Activity | Log | Block | This was released as ...82fe4e7f | ## 2025-01-13 **WAF Release - 2025-01-13** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | --------------------------------------------------------------------------------------------- | --------------- | ---------- | ------------- | | Cloudflare Managed Ruleset | ...f49e5840 | 100704 | Cleo Harmony - Auth Bypass - CVE:CVE-2024-55956, CVE:CVE-2024-55953 | Log | Block | New Detection | | Cloudflare Managed Ruleset | ...a6d43bc2 | 100705 | Sentry - SSRF | Log | Block | New Detection | | Cloudflare Managed Ruleset | ...ce6311bb | 100706 | Apache Struts - Remote Code Execution - CVE:CVE-2024-53677 | Log | Block | New Detection | | Cloudflare Managed Ruleset | ...2233da1f | 100707 | FortiWLM - Remote Code Execution - CVE:CVE-2023-48782, CVE:CVE-2023-34993, CVE:CVE-2023-34990 | Log | Block | New Detection | | Cloudflare Managed Ruleset | ...e31d972a | 100007C\_BETA | Command Injection - Common Attack Commands | Disabled | | | ## 2025-01-06 **WAF Release - 2025-01-06** | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | ------------------- | ----------- | -------------- | --------------------------------------------------------------------------------------------------------- | --------------- | ---------- | ------------- | | Cloudflare Specials | ...9da08beb | 100678 | Pandora FMS - Remote Code Execution - CVE:CVE-2024-11320 | Log | Block | New Detection | | Cloudflare Specials | ...ecdf3d02 | 100679 | Palo Alto Networks - Remote Code Execution - CVE:CVE-2024-0012, CVE:CVE-2024-9474 | Log | Block | New Detection | | Cloudflare Specials | ...a40f2a35 | 100680 | Ivanti - Command Injection - CVE:CVE-2024-37397 | Log | Block | New Detection | | Cloudflare Specials | ...58ae3c89 | 100681 | Really Simple Security - Auth Bypass - CVE:CVE-2024-10924 | Log | Block | New Detection | | Cloudflare Specials | ...e37f2da6 | 100682 | Magento - XXE - CVE:CVE-2024-34102 | Log | Block | New Detection | | Cloudflare Specials | ...5054c752 | 100683 | CyberPanel - Remote Code Execution - CVE:CVE-2024-51567 | Log | Block | New Detection | | Cloudflare Specials | ...dfe93d7b | 100684 | Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38094, CVE:CVE-2024-38024, CVE:CVE-2024-38023 | Log | Block | New Detection | | Cloudflare Specials | ...1454c856 | 100685 | CyberPanel - Remote Code Execution - CVE:CVE-2024-51568 | Log | Block | New Detection | | Cloudflare Specials | ...e92362e5 | 100686 | Seeyon - Remote Code Execution | Log | Block | New Detection | | Cloudflare Specials | ...b9f1c9f8 | 100687 | WordPress - Remote Code Execution - CVE:CVE-2024-10781, CVE:CVE-2024-10542 | Log | Block | New Detection | | Cloudflare Specials | ...0d7ca374 | 100688 | ProjectSend - Remote Code Execution - CVE:CVE-2024-11680 | Log | Block | New Detection | | Cloudflare Specials | ...a5260b70 | 100689 | Palo Alto GlobalProtect - Remote Code Execution - CVE:CVE-2024-5921 | Log | Block | New Detection | | Cloudflare Specials | ...d007118b | 100690 | Ivanti - Remote Code Execution - CVE:CVE-2024-37404 | Log | Block | New Detection | | Cloudflare Specials | ...c3e49f64 | 100691 | Array Networks - Remote Code Execution - CVE:CVE-2023-28461 | Log | Block | New Detection | | Cloudflare Specials | ...fcc6f5bb | 100692 | CyberPanel - Remote Code Execution - CVE:CVE-2024-51378 | Log | Block | New Detection | | Cloudflare Specials | ...b615335e | 100693 | Symfony Profiler - Auth Bypass - CVE:CVE-2024-50340 | Log | Block | New Detection | | Cloudflare Specials | ...09d08c8a | 100694 | Citrix Virtual Apps - Remote Code Execution - CVE:CVE-2024-8069 | Log | Block | New Detection | | Cloudflare Specials | ...8aafb2f5 | 100695 | MSMQ Service - Remote Code Execution - CVE:CVE-2023-21554 | Log | Block | New Detection | | Cloudflare Specials | ...11b7a8c7 | 100696 | Nginxui - Remote Code Execution - CVE:CVE-2024-49368 | Log | Block | New Detection | | Cloudflare Specials | ...45954c7e | 100697 | Apache ShardingSphere - Remote Code Execution - CVE:CVE-2022-22733 | Log | Block | New Detection | | Cloudflare Specials | ...f5311209 | 100698 | Mitel MiCollab - Auth Bypass - CVE:CVE-2024-41713 | Log | Block | New Detection | | Cloudflare Specials | ...b3e5e46e | 100699 | Apache Solr - Auth Bypass - CVE:CVE-2024-45216 | Log | Block | New Detection | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/waf/","name":"WAF"}},{"@type":"ListItem","position":3,"item":{"@id":"/waf/change-log/","name":"WAF changelog overview"}},{"@type":"ListItem","position":4,"item":{"@id":"/waf/change-log/changelog/","name":"Changelog"}}]} ```