Dan Abramov

**Name of the Vulnerable Software and Affected Versions** react-dom versions 16.0.0 through 16.0.0 react-dom versions 16.1.0 through 16.1.1 react-dom versions 16.2.0 through 16.2.0 react-dom versions 16.3.0 through 16.3.2 react-dom versions 16.4.0 through 16.4.1 **Description** The issue is related to a cross-site scripting vulnerability in React applications that render to HTML using the ReactDOMServer API. The lack of escaping of user-supplied attribute names at render-time could lead to this vulnerability. This may allow attackers to execute arbitrary JavaScript in the victim's browser. The application needs to be a server-side React app, rendered to HTML using ReactDOMServer, and include an attribute name from user input in an HTML tag to be affected by this vulnerability. **Recommendations** If you are using react-dom 16.0.x, upgrade to 16.0.1 or later. If you are using react-dom 16.1.x, upgrade to 16.1.2 or later. If you are using react-dom 16.2.x, upgrade to 16.2.1 or later. If you are using react-dom 16.3.x, upgrade to 16.3.3 or later. If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.