A critical severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. For further details on the vulnerability, refer to Critical Security Vulnerability in React Server Components. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

To avoid exposure, Next.js and React need to be updated to their latest patched versions.

If you’re hosting your application on Vercel or are using Cloudflare’s WAF, those providers have platform level protections that help mitigate this vulnerability. However, upgrading to the latest versions of Next.js and React is strongly recommended. For further details refer to the Vercel (https://vercel.com/changelog/cve-2025-55182) and Cloudflare (https://blog.cloudflare.com/waf-rules-react-vulnerability/) blog posts.

Here’s what else you need to know specific to Commerce.
Actions we are taking
All affected Next.js applications at Commerce have been upgraded to a patched version of Next.js, addressing the vulnerability. We’ve also released Catalyst v1.3.5 which ships with a patched version of Next.js.
Actions you need to take
If you are running a Catalyst-based headless storefront, you will need to update it to a version that includes the patched releases of Next.js and React. The following Catalyst versions incorporate these fixes.

@bigcommerce/catalyst-core@1.3.5
@bigcommerce/catalyst-makeswift@1.3.6

For migration details, refer to the Catalyst 1.3.5 Release Notes.

If you’re using a version of @bigcommerce/catalyst-b2b-buyer-portal, follow the manual steps outlined in the release notes. https://developer.bigcommerce.com/docs/storefront/catalyst/release-notes/1-3-5
Makeswift
Makeswift customers that are not using Catalyst should follow the Makeswift blog post for specific mitigation steps. https://www.makeswift.com/blog/announcements/2025-12-03-react-server-components-vulnerability

As part of Commerce.com's continued commitment to transparency and best-in-class security practices, we have completed our 2025 third-party penetration and network segmentation assessments. Executive summaries of these evaluations are now available in the REPORTS section of our Trust Center.

These annual tests assess the security posture of our applications, APIs, and mobile apps, feed management system, and include a comprehensive suite of network assessments—covering both internal and external networks, production segmentation, and the logical separation between customer storefronts.

Together, these assessments validate the effectiveness of our overall security architecture and ensure the confidentiality, integrity, and availability of the Commerce.com platforms.

All findings were reviewed and addressed in accordance with our risk management framework and remediation SLAs: 10 days for critical, 30 days for high, and 90 days for medium severity issues.

To view the executive summaries, visit security.bigcommerce.com and navigate to the REPORTS card.

We're committed to creating an inclusive experience for all our customers. As part of this commitment, we want to inform you about the European Accessibility Act (EAA), which came into effect on June 28, 2025. This significant legislation aims to make a wide range of products and services, including digital platforms, more accessible for people with disabilities across the EU. We are actively working to ensure our offerings comply with these new standards, reflecting our dedication to universal access and an enhanced user experience for everyone.

Script Authorization on Payment Pages: Understanding PCI 4.0 Section 6.4.3 and How We’re Providing The Tools To Keep Your Payment Pages Secure: https://developer.bigcommerce.com/resource-hub/script-authorization-on-payment-pages

We're pleased to announce the successful completion of our 2025 annual audit!

As part of our commitment to transparency and security, our updated ISO certifications, SOC Reports, and PCI Attestations are now available for your review. You can access all of these documents directly from our Platform Trust Center: https://bigcommerce.com/security

Thank you for your continued trust and partnership.

Important Update: BigCommerce Publishes an updated PCI DSS v4.0.1 Shared Responsibility Matrix

Dear Valued Customer,
At BigCommerce, we are committed to maintaining the highest standards of security and compliance, particularly concerning the protection of cardholder data. As part of this commitment, we are pleased to announce an updated PCI DSS v4.0.1 Shared Responsibility Matrix, with updates to customer-facing requirements (6.4.3 & 11.6.1).

This matrix provides a clear and detailed breakdown of the responsibilities shared between BigCommerce and our customers in adhering to the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1. Understanding these shared responsibilities is crucial for ensuring the ongoing security of your payment processing environment.

What is the PCI DSS Shared Responsibility Matrix?

The matrix outlines:

• Specific PCI DSS requirements: It lists relevant requirements from the PCI DSS v4.0.1 standard, with v3.2.1 requirement numbers for reference.
• Responsibilities: It clearly defines which party (you, the customer, or BigCommerce) is responsible for meeting each requirement.
• Clarification: It provides clarity on the scope of our services and your obligations related to PCI DSS compliance.
• Collaboration: It fosters a collaborative approach to maintaining a secure payment ecosystem.

Why is this important?

• Enhanced Security: Understanding your responsibilities helps strengthen your overall security posture.
• Compliance Clarity: It provides a clear roadmap for achieving and maintaining PCI DSS compliance.
• Improved Collaboration: It promotes a transparent and collaborative relationship between BigCommerce and our customers.
• Updated for v4.0.1: It reflects the newest changes and requirements of the current PCI DSS standard.
• Updated with guidance about the impact of integrations and customizations to the responsibility matrix.

Where can you find the matrix?

You can access the PCI DSS v4.0.1 Shared Responsibility Matrix on our Trust Center:.

We encourage you to review this document carefully and familiarize yourself with your responsibilities. If you have any questions or require further clarification, please do not hesitate to contact our support team.

We appreciate your continued partnership and commitment to maintaining a secure payment environment.

Sincerely,

The BigCommerce Compliance Team