We discovered a minor vulnerability that might affect some apps using ReactDOMServer. We are releasing a patch version for every affected React minor release so that you can upgrade with no friction. Read on for more details.
Today, we are releasing a fix for a vulnerability we discovered in the
react-dom/server implementation. It was introduced with the version 16.0.0 and has existed in all subsequent releases until today.
This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected. Additionally, we expect that most server-rendered apps don’t contain the vulnerable pattern described below. Nevertheless, we recommend to follow the mitigation instructions at the earliest opportunity.
... read the whole story at reactjs.org.