## CVE-2025-55182: Next.js 15.5.4 Reaches Maximum CVSS 10.0 With High Exploit Maturity, 84% EPSS Score Next.js version 15.5.4, distributed as next-15.5.4.tgz via npm registry, contains eight security vulnerabilities, with the most severe—CVE-2025-55182—achieving a perfect CVSS score of 10.0 and marked as reachable, according to a vulnerability report surfaced through GitHub Issues. The flaw's exploit maturity is rated High, and its Exploit Prediction Scoring System (EPSS) percentile stands at 84.431%, indicating an 84% probability of active exploitation within the next 30 days. The vulnerable package was identified in the dependency path through /docs/package.json, signaling exposure in documentation infrastructure that may extend to downstream projects consuming this version. The critical vulnerability resides within the react-server-dom-turbopack, react-server-dom-parcel, and react-server-dom-webpack modules. Patches have been released across multiple versions: react-server-dom packages addressed the issue in versions 19.0.1, 19.1.2, and 19.2.1, while Next.js patches are available in versions 15.0.5, 15.2.6, and 15.3.6. The presence of eight total vulnerabilities in this single package version raises questions about the security review processes applied prior to the 15.5.4 release, particularly given the critical severity of the primary CVE and its documented reachability. Organizations running Next.js 15.5.4 should prioritize immediate remediation given the combination of maximum severity, reachable exploitability, and high exploit maturity. The 84% EPSS score places this vulnerability in the top percentile of likely-exploited issues, outpacing the majority of documented CVEs. Security teams maintaining projects with Next.js dependencies should audit their package.json files and registry configurations, particularly where react-server-dom and turbopack integrations are in use. The rapid availability of patches across multiple version branches suggests a coordinated but urgent disclosure, warranting swift action. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: next.js, CVE-2025-55182, CVSS 10.0, npm, vulnerability - **Credibility**: unverified - **Published**: 2026-04-29 01:54:12 - **ID**: 78023 - **URL**: https://whisperx.ai/en/intel/78023