A high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183) related to React Server Components have been disclosed affecting React versions 19.0. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. To avoid exposure, Next.js and React need to be updated to their latest patched versions.
The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.
Important: This release provides an additional security patch for the same
CVEs addressed in 1.3.6. You
should upgrade to 1.3.7 to receive the latest security fixes.
Catalyst v1.3.7 release addresses these security vulnerabilities, including the additional CVE-2025-67779.
We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:
And as always, you can pull the latest stable release with these tags: