Nextra 4.6.0 Flawed by 22 Vulnerabilities: Critical CVSS 10.0 Reachable Exposure in Popular Site Generator

A security audit of the nextra-4.6.0.tgz package, widely used as a Next.js and MDX-based site generator, has uncovered 22 distinct vulnerabilities embedded within its dependency chain. The highest-severity flaw carries a perfect CVSS score of 10.0 and is classified as reachable, indicating that the exploit path is actively accessible within affected deployments rather than requiring complex attack chains to trigger.

The most critical finding, tracked as CVE-2025-55182, demonstrates exploit maturity rated as 'High' and carries an Exploit Prediction Scoring System (EPSS) rating of 84.431%. This combination signals both active exploitation potential and an approximately 84% probability of weaponized attacks emerging within the next 30 days. The vulnerability traces through react-server-dom-turbopack and related react-server-dom variants, with remediations reportedly available in versions 19.1.2 and 19.2.1. The exposure originated from /docs/package.json, suggesting the flaw may have been inadvertently incorporated during documentation infrastructure builds.

Organizations leveraging nextra for documentation portals, technical blogs, or content-driven sites face immediate operational risk. The reachable classification of the CVSS 10.0 flaw means adversaries do not require sophisticated techniques to exploit the vulnerability chain. Security teams should audit dependency trees for nextra-4.6.0.tgz and prioritize patching to fixed react-server-dom versions, particularly in production environments where the package serves public-facing content.