A critical-severity vulnerability related to React Server Components has been disclosed affecting React versions 19.0, 19.1, and 19.2. This includes Next.js which is used for internal applications at Makeswift as well as your deployed Makeswift applications. For further details on the vulnerability, refer to Critical Security Vulnerability in React Server Components.

To avoid exposure, Next.js and React need to be updated to their latest patched versions.

If you’re hosting your application on Vercel or are using Cloudflare’s WAF, those providers have platform level protections that help mitigate this vulnerability. However, upgrading to the latest versions of Next.js and React is strongly recommended. For further details refer to the Vercel and Cloudflare blog posts.

Here’s what else you need to know specific to Makeswift:

Actions we are taking

All affected Next.js applications at Makeswift have been upgraded to a patched version of Next.js, addressing the vulnerability.

Actions you need to take

For your deployed Makeswift applications, if you are using Next.js 15, you’ll need to upgrade to the latest patched version as soon as possible. Alternatively, if you are using Next.js canary version 14.3.0-canary.77 or later, you should downgrade to the latest stable 14.x release.