A high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183) related to React Server Components have been disclosed affecting React versions 19.0. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. To avoid exposure, Next.js and React need to be updated to their latest patched versions. 

The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.

Important: This release provides an additional security patch for the same CVEs addressed in Catalyst 1.3.6. If you upgraded to 1.3.6, you should upgrade to 1.3.7 to receive the latest security fixes.

Catalyst v1.3.7 release addresses these security vulnerabilities, including the additional CVE-2025-67779.

Key Changes

• Next.js 15.5.9: Upgraded from Next.js 15.5.8 to 15.5.9

• React 19: Upgraded to React 19.1.4 and React DOM 19.1.4

Migration Guide

Refer to the full migration guide in our developer release notes.

Release Tags

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/[email protected]

• @bigcommerce/[email protected]

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest