In Sonatype Lifecycle and Repository Firewall, CVE-2025-55182 currently appears with a CVSS v4 score of 9.3 (Critical), not 10. This is an intentional result of our Security Research Team’s analysis and of IQ Server’s CVSS precedence rules, not a data error. Both 9.3 and 10 are treated as Critical in our default model.
CVSS score Precedence
A vulnerability can have multiple CVSS scores from different sources and CVSS versions. IQ Server chooses which score to use according to a defined order of precedence:
- Custom CVSS severity (if present)
- Official Assessed CVSS v4 from NVD
- Official Assessed CVSS v3x from NVD
- Official Assessed CVSS v2 from NVD
- CVSS v4 from Sonatype
- CVSS v3x from Sonatype
- CVSS v2 from Sonatype
Vendor “root scores” (R scores) are informational only and are not used as CVSS Base Scores by IQ Server. We only consider actual CVSS vectors in the list above and always prefer an official NVD vector when one exists. See What is IQ Server's order of precedence for multiple CVSS severities?.
For CVE-2025-55182, NVD had not yet provided an NVD‑assessed CVSS vector at the time we scored it, so by this precedence order Sonatype products uses our CVSS v4 score.
Why our CVSS v4 score is 9.3
Our Security Research Team analyzes new vulnerabilities and calculates CVSS scores using the Common Vulnerability Scoring System version 4. See Sonatype Vulnerability Data. For CVE-2025-55182, we determined that the correct CVSS v4 score is 9.3.
The only difference between our 9.3 and a 10 for this vulnerability is the “scope” (CVSS v3) / “subsequent system” (CVSS v4) metric. Based on our research, exploit code is sent to and executed by the React Server Components (RSC) process under its existing privilege level, and that process is both the vulnerable and impacted system. For a 10, the vulnerable and impacted systems would need to be different. Because we do not see a separate impacted system, the appropriate CVSS v4 score is 9.3 (Critical) rather than 10 (Critical).
Relation to NVD and vendor scores
We and NVD both use CVSS, but different analysts can legitimately select different metric values based on their understanding of the vulnerability. Our researchers often score vulnerabilities before NVD and update scores as more information becomes available, so differences from NVD’s values are expected. See Sonatype Vulnerability Data.
Some public records may show 10 as a vendor “root score” (R score). R scores are not CVSS Base Scores and are not used in IQ Server’s precedence; we only consider actual CVSS v2, v3, or v4 vectors from NVD or from our Security Research Team.
Policy considerations
By default, our Security‑Critical policies are designed so that vulnerabilities with CVSS scores in the 9.0–10.0 range are treated as Critical. We do not recommend changing Critical policies to trigger only on a score of exactly 10, because that would exclude vulnerabilities like CVE-2025-55182 that we intentionally score as 9.3 (Critical) and that should still be treated as Critical.