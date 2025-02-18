This week’s vulnerability analysis highlights emerging web application threats that exploit modern JavaScript behavior and SQL parsing ambiguities. Attackers continue to refine techniques such as attribute overloading and obfuscated logic manipulation to evade detection and compromise front-end and back-end systems.

Key Findings

XSS – Attribute Overloading: A novel cross-site scripting technique where attackers abuse custom or non-standard HTML attributes to smuggle payloads into the DOM. These payloads evade traditional sanitization logic, especially in frameworks that loosely validate attributes or trust unknown tokens.

XSS – onToggle Event Abuse: Exploits the lesser-used onToggle event (triggered by elements like <details> ) to execute arbitrary JavaScript when users interact with UI elements. This vector is often overlooked by static analyzers and can be embedded in seemingly benign components.

Impact

These vulnerabilities target both user-facing components and back-end databases, introducing potential vectors for credential theft, session hijacking, or full data exfiltration. The XSS variants bypass conventional filters through overlooked HTML behaviors, while the obfuscated SQLi enables attackers to stealthily probe back-end logic, making them especially difficult to detect and block.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...2aa3d845 100798 XSS - Attribute Overloading Log Block This is a New Detection Cloudflare Managed Ruleset ...37548d06 100799 XSS - OnToggle Log Block This is a New Detection

This week’s roundup uncovers critical vulnerabilities affecting enterprise VoIP systems, webmail platforms, and a popular JavaScript framework. The risks range from authentication bypass to remote code execution (RCE) and buffer handling flaws, each offering attackers a path to elevate access or fully compromise systems.

Key Findings

Next.js - Auth Bypass: A newly detected authentication bypass flaw in the Next.js framework allows attackers to access protected routes or APIs without proper authorization, undermining application access controls.

Fortinet FortiVoice (CVE-2025-32756): A buffer error vulnerability in FortiVoice systems that could lead to memory corruption and potential code execution or service disruption in enterprise telephony environments.

Roundcube (CVE-2025-49113): A critical RCE flaw allowing unauthenticated attackers to execute arbitrary PHP code via crafted requests, leading to full compromise of mail servers and user inboxes.

Impact

These vulnerabilities affect core business infrastructure, from web interfaces to voice communications and email platforms. The Roundcube RCE and FortiVoice buffer flaw offer potential for deep system access, while the Next.js auth bypass undermines trust boundaries in modern web apps.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...7eb35ee6 100795 Next.js - Auth Bypass Log Disabled This is a New Detection Cloudflare Managed Ruleset ...c329aeb0 100796 Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...ab314023 100797 Roundcube - Remote Code Execution - CVE:CVE-2025-49113 Log Disabled This is a New Detection

We have significantly increased the limits for IP Lists on Enterprise plans to provide greater flexibility and control:

Total number of lists : Increased from 10 to 1,000.

: Increased from 10 to 1,000. Total number of list items: Increased from 10,000 to 500,000.

Limits for other list types and plans remain unchanged. For more details, refer to the lists availability.

This week’s roundup highlights multiple critical vulnerabilities across popular web frameworks, plugins, and enterprise platforms. The focus lies on remote code execution (RCE), server-side request forgery (SSRF), and insecure file upload vectors that enable full system compromise or data exfiltration.

Key Findings

Cisco IOS XE (CVE-2025-20188): Critical RCE vulnerability enabling unauthenticated attackers to execute arbitrary commands on network infrastructure devices, risking total router compromise.

Axios (CVE-2024-39338): SSRF flaw impacting server-side request control, allowing attackers to manipulate internal service requests when misconfigured with unsanitized user input.

vBulletin (CVE-2025-48827, CVE-2025-48828): Two high-impact RCE flaws enabling attackers to remotely execute PHP code, compromising forum installations and underlying web servers.

Invision Community (CVE-2025-47916): A critical RCE vulnerability allowing authenticated attackers to run arbitrary code in community platforms, threatening data and lateral movement risk.

CrushFTP (CVE-2025-32102, CVE-2025-32103): SSRF vulnerabilities in upload endpoint processing permit attackers to pivot internal network scans and abuse internal services.

Roundcube (CVE-2025-49113): RCE via email processing enables attackers to execute code upon viewing a crafted email — particularly dangerous for webmail deployments.

WooCommerce WordPress Plugin (CVE-2025-47577): Dangerous file upload vulnerability permits unauthenticated users to upload executable payloads, leading to full WordPress site takeover.

Cross-Site Scripting (XSS) Detection Improvements: Enhanced detection patterns.

Impact

These vulnerabilities span core systems — from routers to e-commerce to email. RCE in Cisco IOS XE, Roundcube, and vBulletin poses full system compromise. SSRF in Axios and CrushFTP supports internal pivoting, while WooCommerce’s file upload bug opens doors to mass WordPress exploitation.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...35fefd53 100783 Cisco IOS XE - Remote Code Execution - CVE:CVE-2025-20188 Log Block This is a New Detection Cloudflare Managed Ruleset ...8332af5d 100784 Axios - SSRF - CVE:CVE-2024-39338 Log Block This is a New Detection Cloudflare Managed Ruleset ...2e1648d2 100785 vBulletin - Remote Code Execution - CVE:CVE-2025-48827, CVE:CVE-2025-48828 Log Block This is a New Detection Cloudflare Managed Ruleset ...0edcf1ef 100786 Invision Community - Remote Code Execution - CVE:CVE-2025-47916 Log Block This is a New Detection Cloudflare Managed Ruleset ...d6f5eb48 100791 CrushFTP - SSRF - CVE:CVE-2025-32102, CVE:CVE-2025-32103 Log Block This is a New Detection Cloudflare Managed Ruleset ...30baa18a 100792 Roundcube - Remote Code Execution - CVE:CVE-2025-49113 Log Block This is a New Detection Cloudflare Managed Ruleset ...229ba236 100793 XSS - Ontoggle Log Disabled This is a New Detection Cloudflare Managed Ruleset ...fa338296 100794 WordPress WooCommerce Plugin - Dangerous File Upload - CVE:CVE-2025-47577 Log Block This is a New Detection

This week’s update spotlights four critical vulnerabilities across CMS platforms, VoIP systems, and enterprise applications. Several flaws enable remote code execution or privilege escalation, posing significant enterprise risks.

Key Findings

WordPress OttoKit Plugin (CVE-2025-27007): Privilege escalation flaw allows unauthenticated attackers to create or elevate user accounts, compromising WordPress administrative control.

SAP NetWeaver (CVE-2025-42999): Remote Code Execution vulnerability enables attackers to execute arbitrary code on SAP NetWeaver systems, threatening core ERP and business operations.

Fortinet FortiVoice (CVE-2025-32756): Buffer error vulnerability may lead to memory corruption and potential code execution, directly impacting enterprise VoIP infrastructure.

Camaleon CMS (CVE-2024-46986): Remote Code Execution vulnerability allows attackers to gain full control over Camaleon CMS installations, exposing hosted content and underlying servers.

Impact

These vulnerabilities target widely deployed CMS, ERP, and VoIP systems. RCE flaws in SAP NetWeaver and Camaleon CMS allow full takeover of business-critical applications. Privilege escalation in OttoKit exposes WordPress environments to full administrative compromise. FortiVoice buffer handling issues risk destabilizing or fully compromising enterprise telephony systems.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...0debd86e 100769 WordPress OttoKit Plugin - Privilege Escalation - CVE:CVE-2025-27007 Log Block This is a New Detection Cloudflare Managed Ruleset ...5f57b448 100770 SAP NetWeaver - Remote Code Execution - CVE:CVE-2025-42999 Log Block This is a New Detection Cloudflare Managed Ruleset ...4df8857a 100779 Fortinet FortiVoice - Buffer Error - CVE:CVE-2025-32756 Log Block This is a New Detection Cloudflare Managed Ruleset ...3b840107 100780 Camaleon CMS - Remote Code Execution - CVE:CVE-2024-46986 Log Block This is a New Detection

This week’s roundup highlights five high-risk vulnerabilities affecting SD-WAN, load balancers, and AI platforms. Several flaws enable unauthenticated remote code execution or authentication bypass.

Key Findings

Versa Concerto SD-WAN (CVE-2025-34026, CVE-2025-34027): Authentication bypass vulnerabilities allow attackers to gain unauthorized access to SD-WAN management interfaces, compromising network segmentation and control.

Kemp LoadMaster (CVE-2024-7591): Remote Code Execution vulnerability enables attackers to execute arbitrary commands, potentially leading to full device compromise within enterprise load balancing environments.

AnythingLLM (CVE-2024-0759): Server-Side Request Forgery (SSRF) flaw allows external attackers to force the LLM backend to make unauthorized internal network requests, potentially exposing sensitive internal resources.

Anyscale Ray (CVE-2023-48022): Remote Code Execution vulnerability affecting distributed AI workloads, allowing attackers to execute arbitrary code on Ray cluster nodes.

Server-Side Request Forgery (SSRF) - Generic & Obfuscated Payloads: Ongoing advancements in SSRF payload techniques observed, including obfuscation and expanded targeting of cloud metadata services and internal IP ranges.

Impact

These vulnerabilities expose critical infrastructure across networking, AI platforms, and SaaS integrations. Unauthenticated RCE and auth bypass flaws in Versa Concerto, Kemp LoadMaster, and Anyscale Ray allow full system compromise. AnythingLLM and SSRF payload variants expand attack surfaces into internal cloud resources, sensitive APIs, and metadata services, increasing risk of privilege escalation, data theft, and persistent access.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...39b52f02 100764 Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34027 Log Block This is a New Detection Cloudflare Managed Ruleset ...a34edb97 100765 Versa Concerto SD-WAN - Auth Bypass - CVE:CVE-2025-34026 Log Block This is a New Detection Cloudflare Managed Ruleset ...0d99b2db 100766 Kemp LoadMaster - Remote Code Execution - CVE:CVE-2024-7591 Log Block This is a New Detection Cloudflare Managed Ruleset ...95aa3a4f 100767 AnythingLLM - SSRF - CVE:CVE-2024-0759 Log Block This is a New Detection Cloudflare Managed Ruleset ...840a0966 100768 Anyscale Ray - Remote Code Execution - CVE:CVE-2023-48022 Log Block This is a New Detection Cloudflare Managed Ruleset ...9d16ee18 100781 SSRF - Generic Payloads N/A Disabled This is a New Detection Cloudflare Managed Ruleset ...5c963d9d 100782 SSRF - Obfuscated Payloads N/A Disabled This is a New Detection

We have deployed an updated attack score model focused on enhancing the detection of multiple false positives (FPs).

As a result of this improvement, some changes in observed attack scores are expected.

This week’s roundup covers nine vulnerabilities, including six critical RCEs and one dangerous file upload. Affected platforms span cloud services, CI/CD pipelines, CMSs, and enterprise backup systems. Several are now addressed by updated WAF managed rulesets.

Key Findings

Ingress-Nginx (CVE-2025-1098): Unauthenticated RCE via unsafe annotation handling. Impacts Kubernetes clusters.

GitHub Actions (CVE-2025-30066): RCE through malicious workflow inputs. Targets CI/CD pipelines.

Craft CMS (CVE-2025-32432): Template injection enables unauthenticated RCE. High risk to content-heavy sites.

F5 BIG-IP (CVE-2025-31644): RCE via TMUI exploit, allowing full system compromise.

AJ-Report (CVE-2024-15077): RCE through untrusted template execution. Affects reporting dashboards.

NAKIVO Backup (CVE-2024-48248): RCE via insecure script injection. High-value target for ransomware.

SAP NetWeaver (CVE-2025-31324): Dangerous file upload flaw enables remote shell deployment.

Ivanti EPMM (CVE-2025-4428, 4427): Auth bypass allows full access to mobile device management.

Vercel (CVE-2025-32421): Information leak via misconfigured APIs. Useful for attacker recon.

Impact

These vulnerabilities expose critical components across Kubernetes, CI/CD pipelines, and enterprise systems to severe threats including unauthenticated remote code execution, authentication bypass, and information leaks. High-impact flaws in Ingress-Nginx, Craft CMS, F5 BIG-IP, and NAKIVO Backup enable full system compromise, while SAP NetWeaver and AJ-Report allow remote shell deployment and template-based attacks. Ivanti EPMM’s auth bypass further risks unauthorized control over mobile device fleets.

GitHub Actions and Vercel introduce supply chain and reconnaissance risks, allowing malicious workflow inputs and data exposure that aid in targeted exploitation. Organizations should prioritize immediate patching, enhance monitoring, and deploy updated WAF and IDS signatures to defend against likely active exploitation.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...d127592a 100746 Vercel - Information Disclosure Log Disabled This is a New Detection Cloudflare Managed Ruleset ...95442495 100754 AJ-Report - Remote Code Execution - CVE:CVE-2024-15077 Log Block This is a New Detection Cloudflare Managed Ruleset ...dfee7ae4 100756 NAKIVO Backup - Remote Code Execution - CVE:CVE-2024-48248 Log Block This is a New Detection Cloudflare Managed Ruleset ...1c52f6d0 100757 Ingress-Nginx - Remote Code Execution - CVE:CVE-2025-1098 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...95442495 100759 SAP NetWeaver - Dangerous File Upload - CVE:CVE-2025-31324 Log Block This is a New Detection Cloudflare Managed Ruleset ...5366ccc1 100760 Craft CMS - Remote Code Execution - CVE:CVE-2025-32432 Log Block This is a New Detection Cloudflare Managed Ruleset ...eb40686b 100761 GitHub Action - Remote Code Execution - CVE:CVE-2025-30066 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...60fc041c 100762 Ivanti EPMM - Auth Bypass - CVE:CVE-2025-4428, CVE:CVE-2025-4427 Log Block This is a New Detection Cloudflare Managed Ruleset ...ebafdfe6 100763 F5 Big IP - Remote Code Execution - CVE:CVE-2025-31644 Log Disabled This is a New Detection

This week's analysis covers four vulnerabilities, with three rated critical due to their Remote Code Execution (RCE) potential. One targets a high-traffic frontend platform, while another targets a popular content management system. These detections are now part of the Cloudflare Managed Ruleset in Block mode.

Key Findings

Commvault Command Center (CVE-2025-34028) exposes an unauthenticated RCE via insecure command injection paths in the web UI. This is critical due to its use in enterprise backup environments.

BentoML (CVE-2025-27520) reveals an exploitable vector where serialized payloads in model deployment APIs can lead to arbitrary command execution. This targets modern AI/ML infrastructure.

Craft CMS (CVE-2024-56145) allows RCE through template injection in unauthenticated endpoints. It poses a significant risk for content-heavy websites with plugin extensions.

Apache HTTP Server (CVE-2024-38475) discloses sensitive server config data due to misconfigured mod_proxy behavior. While not RCE, this is useful for pre-attack recon.

Impact

These newly detected vulnerabilities introduce critical risk across modern web stacks, AI infrastructure, and content platforms: unauthenticated RCEs in Commvault, BentoML, and Craft CMS enable full system compromise with minimal attacker effort.

Apache HTTPD information leak can support targeted reconnaissance, increasing the success rate of follow-up exploits. Organizations using these platforms should prioritize patching and monitor for indicators of exploitation using updated WAF detection rules.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...75129820 100745 Apache HTTP Server - Information Disclosure - CVE:CVE-2024-38475 Log Block This is a New Detection Cloudflare Managed Ruleset ...26a517f1 100747 Commvault Command Center - Remote Code Execution - CVE:CVE-2025-34028 Log Block This is a New Detection Cloudflare Managed Ruleset ...d7619ccb 100749 BentoML - Remote Code Execution - CVE:CVE-2025-27520 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...f15bfda4 100753 Craft CMS - Remote Code Execution - CVE:CVE-2024-56145 Log Block This is a New Detection

We have upgraded WAF Payload Logging to enhance rule diagnostics and usability:

Targeted logging : Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments.

: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments. Visual highlighting : Matched content is visually highlighted in the UI for faster identification.

: Matched content is visually highlighted in the UI for faster identification. Enhanced context: Logs now include surrounding context to make diagnostics more effective.

Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can get started.

Note: The structure of the encrypted_matched_data field in Logpush has changed from Map<Field, Value> to Map<Field, {Before: bytes, Content: Value, After: bytes}> . If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.

This week's analysis covers five CVEs with varying impact levels. Four are rated critical, while one is rated high severity. Remote Code Execution vulnerabilities dominate this set.

Key Findings

GFI KerioControl (CVE-2024-52875) contains an unauthenticated Remote Code Execution (RCE) vulnerability that targets firewall appliances. This vulnerability can let attackers gain root level system access, making this CVE particularly attractive for threat actors.

The SonicWall SMA vulnerabilities remain concerning due to their continued exploitation since 2021. These critical vulnerabilities in remote access solutions create dangerous entry points to networks.

Impact

Customers using the Managed Ruleset will receive rule coverage following this week's release. Below is a breakdown of the recommended prioritization based on current exploitation trends:

GFI KerioControl (CVE-2024-52875) - Highest priority; unauthenticated RCE

SonicWall SMA (Multiple vulnerabilities) - Critical for network appliances

XWiki (CVE-2025-24893) - High priority for development environments

Langflow (CVE-2025-3248) - Important for AI workflow platforms

MinIO (CVE-2025-31489) - Important for object storage implementations

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...d0b7a392 100724 GFI KerioControl - Remote Code Execution - CVE:CVE-2024-52875 Log Block This is a New Detection Cloudflare Managed Ruleset ...717a9e42 100748 XWiki - Remote Code Execution - CVE:CVE-2025-24893 Log Block This is a New Detection Cloudflare Managed Ruleset ...e9cf745d 100750 SonicWall SMA - Dangerous File Upload - CVE:CVE-2021-20040, CVE:CVE-2021-20041, CVE:CVE-2021-20042 Log Block This is a New Detection Cloudflare Managed Ruleset ...d29da333 100751 Langflow - Remote Code Execution - CVE:CVE-2025-3248 Log Block This is a New Detection Cloudflare Managed Ruleset ...caa7b208 100752 MinIO - Auth Bypass - CVE:CVE-2025-31489 Log Block This is a New Detection

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...19fcc883 100755 React.js - Router and Remix Vulnerability - CVE:CVE-2025-43864, CVE:CVE-2025-43865 Block Block This is a New Detection

Each of this week's rule releases covers a distinct CVE, with half of the rules targeting Remote Code Execution (RCE) attacks. Of the 6 CVEs covered, four were scored as critical, with the other two scored as high.

When deciding which exploits to tackle, Cloudflare tunes into the attackers' areas of focus. Cloudflare's network intelligence provides a unique lens into attacker activity – for instance, through the volume of blocked requests related with CVE exploits after updating WAF Managed Rules with new detections.

From this week's releases, one indicator that RCE is a "hot topic" attack type is the fact that the Oracle PeopleSoft RCE rule accounts for half of all of the new rule matches. This rule patches CVE-2023-22047, a high-severity vulnerability in the Oracle PeopleSoft suite that allows unauthenticated attackers to access PeopleSoft Enterprise PeopleTools data through remote code execution. This is particularly concerning because of the nature of the data managed by PeopleSoft – this can include payroll records or student profile information. This CVE, along with five others, are addressed with the latest detection update to WAF Managed Rules.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...a5be3327 100738 GitLab - Auth Bypass - CVE:CVE-2023-7028 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...6c9531fa 100740 Splunk Enterprise - Remote Code Execution - CVE:CVE-2025-20229 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...f40bbc2b 100741 Oracle PeopleSoft - Remote Code Execution - CVE:CVE-2023-22047 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...5462167c 100742 CrushFTP - Auth Bypass - CVE:CVE-2025-31161 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...caa7b208 100743 Ivanti - Buffer Error - CVE:CVE-2025-22457 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...d52139a8 100744 Oracle Access Manager - Remote Code Execution - CVE:CVE-2021-35587 Log Disabled This is a New Detection

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...d6b2d36c 100739A Next.js - Auth Bypass - CVE:CVE-2025-29927 - 2 Log Disabled This is a New Detection

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...622f0483 100732 Sitecore - Code Injection - CVE:CVE-2025-27218 Log Block This is a New Detection Cloudflare Managed Ruleset ...0f101cca 100733 Angular-Base64-Upload - Remote Code Execution - CVE:CVE-2024-42640 Log Block This is a New Detection Cloudflare Managed Ruleset ...1bbcd247 100734 Apache Camel - Remote Code Execution - CVE:CVE-2025-29891 Log Disabled This is a New Detection Cloudflare Managed Ruleset ...90aea1ca 100735 Progress Software WhatsUp Gold - Remote Code Execution - CVE:CVE-2024-4885 Log Block This is a New Detection Cloudflare Managed Ruleset ...d9d8c5f2 100737 Apache Tomcat - Remote Code Execution - CVE:CVE-2025-24813 Log Block This is a New Detection Cloudflare Managed Ruleset ...a28a42c4 100659 Common Payloads for Server-side Template Injection N/A Disabled N/A Cloudflare Managed Ruleset ...daa4b037 100659 Common Payloads for Server-side Template Injection - Base64 N/A Disabled N/A Cloudflare Managed Ruleset ...48f6a9cf 100642 LDAP Injection N/A Disabled N/A Cloudflare Managed Ruleset ...e0713e9f 100642 LDAP Injection Base64 N/A Disabled N/A Cloudflare Managed Ruleset ...1bc977d1 100005 DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474 N/A Disabled N/A Cloudflare Managed Ruleset ...bb70a463 100527 Apache Struts - CVE:CVE-2021-31805 N/A Block N/A Cloudflare Managed Ruleset ...0c99546a 100702 Command Injection - CVE:CVE-2022-24108 N/A Block N/A Cloudflare Managed Ruleset ...9a5581d0 100622C Ivanti - Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887, CVE:CVE-2024-22024 N/A Block N/A Cloudflare Managed Ruleset ...06d0b009 100536C GraphQL Command Injection N/A Disabled N/A Cloudflare Managed Ruleset ...1651d0c8 100536 GraphQL Injection N/A Disabled N/A Cloudflare Managed Ruleset ...af00f61d 100536A GraphQL Introspection N/A Disabled N/A Cloudflare Managed Ruleset ...a41e5b67 100536B GraphQL SSRF N/A Disabled N/A Cloudflare Managed Ruleset ...433e5b3d 100559A Prototype Pollution - Common Payloads N/A Disabled N/A Cloudflare Managed Ruleset ...4816b26f 100559A Prototype Pollution - Common Payloads - Base64 N/A Disabled N/A Cloudflare Managed Ruleset ...fcea5ed2 100734 Apache Camel - Remote Code Execution - CVE:CVE-2025-29891 N/A Disabled N/A

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...f472013e 100739 Next.js - Auth Bypass - CVE:CVE-2025-29927 N/A Disabled This is a New Detection

Update: Mon Mar 24th, 11PM UTC: Next.js has made further changes to address a smaller vulnerability introduced in the patches made to its middleware handling. Users should upgrade to Next.js versions 15.2.4 , 14.2.26 , 13.5.10 or 12.3.6 . If you are unable to immediately upgrade or are running an older version of Next.js, you can enable the WAF rule described in this changelog as a mitigation.

Update: Mon Mar 24th, 8PM UTC: Next.js has now backported the patch for this vulnerability ↗ to cover Next.js v12 and v13. Users on those versions will need to patch to 13.5.9 and 12.3.5 (respectively) to mitigate the vulnerability.

Update: Sat Mar 22nd, 4PM UTC: We have changed this WAF rule to opt-in only, as sites that use auth middleware with third-party auth vendors were observing failing requests.

We strongly recommend updating your version of Next.js (if eligible) to the patched versions, as your app will otherwise be vulnerable to an authentication bypass attack regardless of auth provider.

Enable the Managed Rule (strongly recommended)

This rule is opt-in only for sites on the Pro plan or above in the WAF managed ruleset.

To enable the rule:

Head to Security > WAF > Managed rules in the Cloudflare dashboard for the zone (website) you want to protect. Click the three dots next to Cloudflare Managed Ruleset and choose Edit Scroll down and choose Browse Rules Search for CVE-2025-29927 (ruleId: 34583778093748cc83ff7b38f472013e ) Change the Status to Enabled and the Action to Block. You can optionally set the rule to Log, to validate potential impact before enabling it. Log will not block requests. Click Next Scroll down and choose Save

This will enable the WAF rule and block requests with the x-middleware-subrequest header regardless of Next.js version.

Create a WAF rule (manual)

For users on the Free plan, or who want to define a more specific rule, you can create a Custom WAF rule to block requests with the x-middleware-subrequest header regardless of Next.js version.

To create a custom rule:

Head to Security > WAF > Custom rules in the Cloudflare dashboard for the zone (website) you want to protect. Give the rule a name - e.g. next-js-CVE-2025-29927 Set the matching parameters for the rule match any request where the x-middleware-subrequest header exists per the rule expression below.

Terminal window ( len(http.request.headers[ "x-middleware-subrequest" ] ) > 0 )

Set the action to 'block'. If you want to observe the impact before blocking requests, set the action to 'log' (and edit the rule later). Deploy the rule.

We've made a WAF (Web Application Firewall) rule available to all sites on Cloudflare to protect against the Next.js authentication bypass vulnerability ↗ ( CVE-2025-29927 ) published on March 21st, 2025.

Note: This rule is not enabled by default as it blocked requests across sites for specific authentication middleware.

This managed rule protects sites using Next.js on Workers and Pages, as well as sites using Cloudflare to protect Next.js applications hosted elsewhere.

This rule has been made available (but not enabled by default) to all sites as part of our WAF Managed Ruleset and blocks requests that attempt to bypass authentication in Next.js applications.

The vulnerability affects almost all Next.js versions, and has been fully patched in Next.js 14.2.26 and 15.2.4 . Earlier, interim releases did not fully patch this vulnerability.

and . Earlier, interim releases did not fully patch this vulnerability. Users on older versions of Next.js ( 11.1.4 to 13.5.6 ) did not originally have a patch available, but this the patch for this vulnerability and a subsequent additional patch have been backported to Next.js versions 12.3.6 and 13.5.10 as of Monday, March 24th. Users on Next.js v11 will need to deploy the stated workaround or enable the WAF rule.

The managed WAF rule mitigates this by blocking external user requests with the x-middleware-subrequest header regardless of Next.js version, but we recommend users using Next.js 14 and 15 upgrade to the patched versions of Next.js as an additional mitigation.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...a2cafae7 100736 Generic HTTP Request Smuggling N/A Disabled This is a New Detection

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...e59ec18a 100725 Fortinet FortiManager - Remote Code Execution - CVE:CVE-2023-42791, CVE:CVE-2024-23666 Log Block Cloudflare Managed Ruleset ...1dbf58df 100726 Ivanti - Remote Code Execution - CVE:CVE-2024-8190 Log Block Cloudflare Managed Ruleset ...0ad61fa7 100727 Cisco IOS XE - Remote Code Execution - CVE:CVE-2023-20198 Log Block Cloudflare Managed Ruleset ...7ee56b66 100728 Sitecore - Remote Code Execution - CVE:CVE-2024-46938 Log Block Cloudflare Managed Ruleset ...a6752a38 100729 Microsoft SharePoint - Remote Code Execution - CVE:CVE-2023-33160 Log Block Cloudflare Managed Ruleset ...98d47b69 100730 Pentaho - Template Injection - CVE:CVE-2022-43769, CVE:CVE-2022-43939 Log Block Cloudflare Managed Ruleset ...69fe1e0d 100700 Apache SSRF vulnerability CVE-2021-40438 N/A Block

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...73febb31 100731 Apache Camel - Code Injection - CVE:CVE-2025-27636 N/A Block This is a New Detection

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...b2a51e3d 100722 Ivanti - Information Disclosure - CVE:CVE-2025-0282 Log Block This is a New Detection Cloudflare Managed Ruleset ...259073d5 100723 Cisco IOS XE - Information Disclosure - CVE:CVE-2023-20198 Log Block This is a New Detection

Added new records to the leaked credentials database. The record sources are: Have I Been Pwned (HIBP) database, RockYou 2024 dataset, and another third-party database.

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...93e63099 100721 Ivanti - Remote Code Execution - CVE:CVE-2024-13159, CVE:CVE-2024-13160, CVE:CVE-2024-13161 Log Block This is a New Detection Cloudflare Managed Ruleset ...cac42ce2 100596 Citrix Content Collaboration ShareFile - Remote Code Execution - CVE:CVE-2023-24489 N/A Block

Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset ...4916911e 100718A SonicWall SSLVPN 2 - Auth Bypass - CVE:CVE-2024-53704 Log Block This is a New Detection Cloudflare Managed Ruleset ...c382fdec 100720 Palo Alto Networks - Auth Bypass - CVE:CVE-2025-0108 Log Block This is a New Detection