As per the description of the vulnerability, a pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

All supported versions of CA PAM as of December 2025.

CA PAM is not impacted by this vulnerability, since CA PAM does not use any of the React Server components.