Critical Next.js Remote Code Execution Vulnerability Hits Popular Documentation Theme — 84% Exploit Probability

A maximum-severity vulnerability has been identified in nextra-theme-docs, a widely deployed documentation framework built on Next.js. Tracked as CVE-2025-55182 with a CVSS score of 10.0, the flaw affects the next-15.5.4.tgz dependency and carries a high exploit maturity rating, placing organizations running this stack under immediate pressure to patch.

The vulnerability stems from weaknesses in React Server DOM parsing components—specifically react-server-dom-turbopack, react-server-dom-parcel, and react-server-dom-webpack modules. Security scans detected the flaw through the dependency path defined in /docs/package.json, where nextra-theme-docs-4.6.0.tgz pulls in the vulnerable Next.js version. Critically, the vulnerability is classified as reachable, meaning active exploitation paths exist within typical deployment configurations rather than purely theoretical attack surfaces.

Multiple patched versions have been released, including Next.js 15.0.5, 15.3.6, 15.2.6, 15.1.9, 15.4.8, and 15.5.7, alongside React Server DOM fixes in versions 19.0.1 and later. The EPSS score of 84.431% indicates an extremely high probability of active exploitation attempts within the near term. Security teams managing documentation infrastructure built on nextra-theme-docs face urgent remediation pressure.