Home / Security updates / A critical severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2.
A critical severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2.
Security updates detail rendered from /security-updates/upd_1d27709074901b68.
Overview
| ID | upd_1d27709074901b68 |
| Collection | Security Updates |
| Provider | SafeBase |
| Company | BigCommerce |
| URL | - |
| Counts | - |
| Updated | - |
Raw record
| Field | Value |
|---|---|
| id | upd_1d27709074901b68 |
| providerId | safebase |
| organizationId | org_4b69487e03d2295e |
| trustCenterId | tc_cff7a10c06b15d55 |
| title | A critical severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2. |
| message | A critical severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. For further details on the vulnerability, refer to Critical Security Vulnerability in React Server Components. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components To avoid exposure, Next.js and React need to be updated to their latest patched versions. If you’re hosting your application on Vercel or are using Cloudflare’s WAF, those providers have platform level protections that help mitigate this vulnerability. However, upgrading to the latest versions of Next.js and React is strongly recommended. For further details refer to the Vercel (https://vercel.com/changelog/cve-2025-55182) and Cloudflare (https://blog.cloudflare.com/waf-rules-react-vulnerability/) blog posts |
| url | - |
| publishedAt | 2025-12-04 |
| source | {
"field": "statuspage/public/compliance-update",
"category": "vulnerabilities"
} |
| company | {
"id": "org_4b69487e03d2295e",
"name": "BigCommerce",
"domains": [
"security.bigcommerce.com",
"bigcommerce.com"
]
} |
| trust_center | {
"id": "tc_cff7a10c06b15d55",
"name": "BigCommerce",
"url": "https://security.bigcommerce.com",
"host": "security.bigcommerce.com"
} |
| provider | {
"id": "safebase",
"name": "SafeBase"
} |
| links | {
"self": "/v1/security-updates/upd_1d27709074901b68",
"company": "/v1/companies/org_4b69487e03d2295e",
"trust_center": "/v1/trust-centers/tc_cff7a10c06b15d55",
"provider": "/v1/providers/safebase"
} |
Get this page with API
Rendered from the bluedoor Trust Centers API. Reproduce it:
GET https://api.bluedoor.sh/trust-centers/v1/security-updates/upd_1d27709074901b68JSON