We have confirmed that the roll-out of the vendor patches for the recently disclosed React and Next js vulnerability is completed. All affected services have now been updated, tested and verified in production.

As part of our process, we reviewed logs and monitoring across the impacted systems and found no evidence of misuse, attempted exploitation or impact to your services or data. All platforms continue to operate normally.

There is no action required from our customers.

This concludes our response to this event and we will continue routine monitoring as part of our ISMS controls.

We are aware of an industry-wide critical vulnerability in React Server Components, which is used extensively in modern web applications. https://www.cve.org/CVERecord?id=CVE-2025-55182

Our immediate investigation and assessment identified that it affects the Nextjs versions used in PM, VTT/OG, BizaID Admin and BTR Admin.

It does not impact HaaS, DSaaS, and Appliance Admin.

We have mitigated the highest risk by deactivating our internal web interfaces for Biza ID Admin. This has no impact for our HaaS customers.
Authentication services are unaffected.

While we have found no evidence of exploitation and have mitigated the highest risk, the risk rating is high and patching promptly is the recommended path.

We will be patching the impacted versions through an emergency change once all testing has been completed today.

No action is required from our customers and there is no downtime expected as a result.

Change Freeze Notification 2025

Biza is announcing the dates for our annual change freeze from close of business 4 December 2025 to 8am 12 January 2026.

During the above period there will be no scheduled changes to production systems for our products, including HaaS, DSaaS, Product Manager and OG.

Any requests for Production system changes, other than those qualifying as P0/P1 incidents, will be automatically deferred until after this period. We thank you for your understanding. Emergency Change requests will be required for any deployments during this period.

If you need to raise a P0/P1/Emergency request please open a Support Ticket via Service Manager.

We thank you for being part of this journey with us and are looking forward to working with you all next year on the opportunities that the CDR supports for you and your customers.

If you have any questions, please contact us via our Service Desk.

Biza is pleased to announce the release of our 2025 SOC 2 Type 2 report, now available for download in the Trust Center. The report covers the period of 1 July 2024 to 30 June 2025.

You may download the report here