Issues with Middlware + Cloudflare
Unanswered
Weevil parasitoid posted this in #help-forum
Weevil parasitoidOP
Since the critical safety issue regarding the Middleware exploit it was fixed in the 15.2.3 and Cloudflare created a ruleset.
I upgraded to 15.2.3 but Cloudflare blocks my requests with the reason: "This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data." (403)
I don't really understand what I have to change so I can use fetch to the GraphQL instance in the middleware.
I upgraded to 15.2.3 but Cloudflare blocks my requests with the reason: "This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data." (403)
I don't really understand what I have to change so I can use fetch to the GraphQL instance in the middleware.
46 Replies
@Weevil parasitoid Since the critical safety issue regarding the Middleware exploit it was fixed in the 15.2.3 and Cloudflare created a ruleset.
I upgraded to 15.2.3 but Cloudflare blocks my requests with the reason: "This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data." (403)
I don't really understand what I have to change so I can use fetch to the GraphQL instance in the middleware.
Did you make any changes to cloudflare ruleset, or did cloudflare create a ruleset
@Anay-208 | Ping in replies Did you make any changes to cloudflare ruleset, or did cloudflare create a ruleset
Weevil parasitoidOP
Cloudflare did
If you've upgraded, maybe you can delete that ruleset
Weevil parasitoidOP
"ruleId": "0c42d8fc9aba4a0a9bfd072a021290e7",
"description": "Next.js - Auth Bypass - CVE:CVE-2025-29927",
"rulesetId": "77454fe2d30c4220b5701f6fdfb893ba",@Anay-208 | Ping in replies If you've upgraded, maybe you can delete that ruleset
Weevil parasitoidOP
But if the problem is fixed the ruleset shouldn't occure, or am I wrong
you upgraded to the latest version, so that Ruleset should no longer be needed(if I'm right)
I'm not really sure if it should occur, but idk why its occuring
I'm not really sure if it should occur, but idk why its occuring
Weevil parasitoidOP
hm
There has to be some other fix, maybe a header or something
@Anay-208 | Ping in replies you upgraded to the latest version, so that Ruleset should no longer be needed(if I'm right)
I'm not really sure if it should occur, but idk why its occuring
Weevil parasitoidOP
Do you know how to disable the ruleset tho? I cannot find it
yes, you should a option somewhere in waf
Weevil parasitoidOP
I don't have WAF
@Anay-208 | Ping in replies yes, you should a option somewhere in waf
Weevil parasitoidOP
that is what irritates me
Umm, it’s enabled by default I think?
There be something under rules or waf when you select a zone
@Anay-208 | Ping in replies There be something under rules or waf when you select a zone
Weevil parasitoidOP
Everything is empty..
but there still has to be an other way
@Anay-208 | Ping in replies you got this using api?
Weevil parasitoidOP
no, the event dashboard
try using api to get and delete event
@Anay-208 | Ping in replies try using api to get and delete event
Weevil parasitoidOP
But still, other people don't have this kind of issues
Maybe you have a higher plan, and it could've been automatically enabled.
If you want, you can contact Cloudflare support for further clarification or their community
If you want, you can contact Cloudflare support for further clarification or their community
@Anay-208 | Ping in replies Maybe you have a higher plan, and it could've been automatically enabled.
If you want, you can contact Cloudflare support for further clarification or their community
Weevil parasitoidOP
I mean it was an critical next.js issue and has to be fixed on my side too.
exactly, thats why Cloudflare must have did it automatically for you at the first place.
I didn't know Cloudflare automatically creates it, you can list it using api ig
Weevil parasitoidOP
I dont have access on the zone tho is the bigger problem
And it wont be the fix to disable cloudflare rulesets, there has to be some issue on my side still
Umm, how did you trace the error then?
Weevil parasitoidOP
My boss did
Maybe ask him for access to the account to check the issue.
As Cloudflare has just blocked the visitor, not the app.
Maybe someone in your team could've created the rule(otherwise Cloudflare), because I don't think Cloudflare should automatically create rules.
As Cloudflare has just blocked the visitor, not the app.
Maybe someone in your team could've created the rule(otherwise Cloudflare), because I don't think Cloudflare should automatically create rules.
or tell him to check the rules, if he can.
@Anay-208 | Ping in replies Maybe ask him for access to the account to check the issue.
As Cloudflare has just blocked the visitor, not the app.
Maybe someone in your team could've created the rule(otherwise Cloudflare), because I don't think Cloudflare should automatically create rules.
Weevil parasitoidOP
I mean it's a server side request to cloudflare that failed
The client side ones dont fail
@Weevil parasitoid I mean it's a server side request to cloudflare that failed
I'm not sure what you mean, are you like making a request to Your app's api?
Weevil parasitoidOP
My server side middleware makes a request to graphql to get the permissions by the user-token
oh, do you have cloudflare managed rulesets or something?
Weevil parasitoidOP
no nothin
and cloudflare wont be the issue
i mean its blocking me but i have to make a wrong request otherwise it would be fine
Can you try calling the api from a app like postman, with the header
x-middleware-subrequest with any value to see if you get Blocked by cloudflareCan you just try to explicitly set headers when sending the request, like
I think nextjs is automatically passing a
I'm not sure if it would even work
Content-Type, or basically any 1.I think nextjs is automatically passing a
x-middleware-subrequest headerI'm not sure if it would even work
I realised it is a managed rule
fetch("https://GRAPHQLHOST/graphql", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
query: `
(...)
`,
}),
})Did you fix the resolve?