 reported as a risk in your scan, this shows as being against React server components, which are server-side only.  However, Next.js does bundle React with server components enabled by default, and therefore we can detect it.  Hexiosec ASM identifies software components and versions on discovered websites and checks them daily against the CVEs published in NIST’s National Vulnerability Database, which already includes this CVE. You can read more about how ASM detects CVEs 

This vulnerability affects React Server Components, which run entirely on the server. Server components are not exposed to the browser, so no external scanner — including ASM — can determine whether a website is using the vulnerable server-side feature. Client-side React (which is externally visible) does not provide any indication of whether Server Components are present. As a result, this particular vulnerability, when found for React, cannot be externally detected and will not show in Hexiosec ASM scan results.

 In contrast, we can identify the version of Next.js in use. If ASM detects a version affected by CVE-2025-55182, we will raise the associated risk in the platform.

Does ASM validate the DKIM public key?

Why do I have a risk against client-side React?

EPSS

What is the 'Update pending' notification?

Hexiosec ASM

Hexiosec ASM (Public)

Organisation and Group Roles

Using Groups

MFA and session expiry

Password Policy

Changing email address

Changing ownership

User and Group Management

Scan Types

Scan Allowances

Seeds and IPs

Scan Limiting

Deleting Scans

Scan Notifications

Managing Scans

Report Terminology

Scan Reports

Health Scores

Managing Actions

EPSS Scoring of Risks

TLS Certificate Risks

Backport Resolvable Risks

Risk Severity Ratings

SPF Hard Fail risks

Managing Risks

Managing Domains and IPs

Graph view

Managing CDNs and Shared IPs

Cloud Asset Discovery

Exporting Scan Results from the ASM API

Link Changes Endpoint

Creating a scan using the API

Paginating the API Requests

Managing API Keys

Using the Public API

Hexiosec ASM mobile

Upgrade Recommendations

Contacting Support

Hexiosec ASM User Guides

Which domains need security.txt files?

Why isn’t app.fractalscan.com working anymore?

I've changed the device I use for MFA

I've accepted an invite, why can't I see anything?

I don't think this vulnerability applies to me?

I've fixed a risk, why has it not been resolved?

Why is my IP's geographic location not showing, or incorrect?

Will Hexiosec ASM find Malware?

What are primary and secondary assets?

What is a Stale domain?

Can I run scans without permission?

What happens when I delete a scan?

Will the latest CVE be found?

What version is Hexiosec ASM?

Which SSO protocols does ASM support?

FAQs

MSP Specific Guidance