Trust Center

Date: 5 December 2025

Dotmatics is providing this update to inform our customers of our investigation and response to two notable and recently disclosed vulnerabilities in the JavaScript ecosystem: CVE-2025-55182 and CVE-2025-66478.

1. CVE-2025-55182 React Server Components

On 3 December 2025 at approximately 4:12 PM ET, we became aware of a publicly disclosed vulnerability affecting certain React server-side packages (CVE-2025-55182). Reference materials are available here:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Immediately upon becoming aware of this disclosure, we initiated an internal review to evaluate whether any products within our application portfolio incorporate the affected React server-side components.

This review was completed at approximately 6:21 PM ET on 3 December 2025. Based on that assessment, no products within our portfolio were found to use the React server-side components associated with CVE-2025-55182.

2. CVE-2025-66478 Next.js (downstream impact)

At approximately 10:51 PM ET on 3 December 2025, we became aware of CVE-2025-66478 which is a downstream vulnerability impacting Next.js due to its dependency on the components associated with CVE-2025-55182. Reference materials are available here:

https://nextjs.org/blog/CVE-2025-66478

https://nvd.nist.gov/vuln/detail/CVE-2025-66478

Immediately upon becoming aware of this disclosure, we initiated an internal review to evaluate whether any products within our application portfolio incorporate the affected Next.js components.

During our review, we identified that two products in our application portfolio: Luma and Sigma components, used affected Next.js versions.

Remediation

Upon identification of these affected components, we immediately initiated our standard vulnerability response procedures, including patch application, internal testing, quality verification, and deployment. All remediation activities were completed by 4 December 2025.

Our monitoring to date has not identified any indicators of abnormal, anomalous, or unauthorized activity associated with these vulnerabilities in the context of our products or environments.

We note that vulnerabilities of this nature may evolve as additional security research becomes available. Accordingly, we will continue to monitor for updates and will take further action as necessary.

3. Customer Guidance

No customer action is required at this time with respect to our products that incorporated the affected Next.js components. If new information becomes available that changes required customer actions or materially impacts risk, we will issue updated communication.

For questions or additional information, please contact your account representative.

There have been many first hand and media reports regarding a high risk, high impact vulnerability in MOVEit file transfer software leading to compromise and ransomware attacks across multiple industries. A recent update from CISA can be found here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Dotmatics has done a review of implemented software across the organisation and can confirm that we do not run this software, and are not impacted by this vulnerability.

Welcome to Dotmatics' Trust Center. We are pleased to announce the launch of our customer-facing, self-service home for documents and answers on security, privacy, and compliance matters. We will also use this Trust Center as a place to provide confirmed information to customers when it's critical that you know the origin is authentic.