How serious do we think this CVE is?

I'd call it a strong medium, but it depends on your deployment infra. We pin the Root CA to disk, so folks attempting to attack FB owned assets with this, I think it would be difficult but I still need to verify how serious this is for us. I'm under the expectation that many folks do something similar, so while I think there's risky, I don't think it's exceptionally high.