React Server Components Vulnerability

A critical severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. For further details on the vulnerability, refer to Critical Security Vulnerability in React Server Components.

To avoid exposure, Next.js and React need to be updated to their latest patched versions.

If you’re hosting your application on Vercel or are using Cloudflare’s WAF, those providers have platform level protections that help mitigate this vulnerability. However, upgrading to the latest versions of Next.js and React is strongly recommended. For further details refer to the Vercel and Cloudflare blog posts.

Here’s what else you need to know specific to Commerce.

Actions we are taking

All affected Next.js applications at Commerce have been upgraded to a patched version of Next.js, addressing the vulnerability. We’ve also released Catalyst v1.3.5 which ships with a patched version of Next.js.

Actions you need to take

If you are running a Catalyst-based headless storefront, you will need to update it to a version that includes the patched releases of Next.js and React. The following Catalyst versions incorporate these fixes.

@bigcommerce/catalyst-core@1.3.5

@bigcommerce/catalyst-makeswift@1.3.6

For migration details, refer to the Catalyst 1.3.5 Release Notes.

If you’re using a version of @bigcommerce/catalyst-b2b-buyer-portal, follow the manual steps outlined in the release notes.

Makeswift

Makeswift customers that are not using Catalyst should follow the Makeswift blog post for specific mitigation steps.