diff --git a/CHANGELOG.md b/CHANGELOG.md
index de8a7aadc3..4a8092817e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### Added
 
+* Upgrade React to 16.4.2 to fix a server-side vunerability @tisto
+
 ### Changes
 
 * Don't reset total and batching on pending search @robgietema
diff --git a/package.json b/package.json
index 3de6633c4c..d8ff9e5137 100644
--- a/package.json
+++ b/package.json
@@ -199,11 +199,11 @@
     "prop-types": "15.6.1",
     "raven": "2.4.2",
     "raven-js": "3.24.0",
-    "react": "16.4.1",
+    "react": "16.4.2",
     "react-cookie": "1.0.5",
     "react-dnd": "2.6.0",
     "react-dnd-html5-backend": "2.6.0",
-    "react-dom": "16.4.1",
+    "react-dom": "16.4.2",
     "react-dropzone": "4.2.9",
     "react-helmet": "5.2.0",
     "react-inline-css": "2.3.1",
@@ -286,7 +286,7 @@
     "react-addons-test-utils": "15.6.2",
     "react-stateless-wrapper": "1.0.7",
     "react-templates": "0.6.1",
-    "react-test-renderer": "16.4.1",
+    "react-test-renderer": "16.4.2",
     "react-transform-catch-errors": "1.0.2",
     "react-transform-hmr": "1.0.4",
     "redbox-react": "1.5.0",
diff --git a/yarn.lock b/yarn.lock
index 46e4029135..d937a10c63 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -10376,9 +10376,9 @@ react-dock@^0.2.4:
     lodash.debounce "^3.1.1"
     prop-types "^15.5.8"
 
-react-dom@16.4.1:
-  version "16.4.1"
-  resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-16.4.1.tgz#7f8b0223b3a5fbe205116c56deb85de32685dad6"
+react-dom@16.4.2:
+  version "16.4.2"
+  resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-16.4.2.tgz#4afed569689f2c561d2b8da0b819669c38a0bda4"
   dependencies:
     fbjs "^0.8.16"
     loose-envify "^1.1.0"
@@ -10442,9 +10442,9 @@ react-intl@2.4.0:
     intl-relativeformat "^2.0.0"
     invariant "^2.1.1"
 
-react-is@^16.4.1:
-  version "16.4.1"
-  resolved "https://registry.yarnpkg.com/react-is/-/react-is-16.4.1.tgz#d624c4650d2c65dbd52c72622bbf389435d9776e"
+react-is@^16.4.2:
+  version "16.4.2"
+  resolved "https://registry.yarnpkg.com/react-is/-/react-is-16.4.2.tgz#84891b56c2b6d9efdee577cc83501dfc5ecead88"
 
 react-json-tree@^0.11.0:
   version "0.11.0"
@@ -10602,14 +10602,14 @@ react-templates@0.6.1:
     optionator "0.8.2"
     text-table "0.2.0"
 
-react-test-renderer@16.4.1:
-  version "16.4.1"
-  resolved "https://registry.yarnpkg.com/react-test-renderer/-/react-test-renderer-16.4.1.tgz#f2fb30c2c7b517db6e5b10ed20bb6b0a7ccd8d70"
+react-test-renderer@16.4.2:
+  version "16.4.2"
+  resolved "https://registry.yarnpkg.com/react-test-renderer/-/react-test-renderer-16.4.2.tgz#4e03eca9359bb3210d4373f7547d1364218ef74e"
   dependencies:
     fbjs "^0.8.16"
     object-assign "^4.1.1"
     prop-types "^15.6.0"
-    react-is "^16.4.1"
+    react-is "^16.4.2"
 
 react-transform-catch-errors@1.0.2:
   version "1.0.2"
@@ -10622,9 +10622,9 @@ react-transform-hmr@1.0.4:
     global "^4.3.0"
     react-proxy "^1.1.7"
 
-react@16.4.1:
-  version "16.4.1"
-  resolved "https://registry.yarnpkg.com/react/-/react-16.4.1.tgz#de51ba5764b5dbcd1f9079037b862bd26b82fe32"
+react@16.4.2:
+  version "16.4.2"
+  resolved "https://registry.yarnpkg.com/react/-/react-16.4.2.tgz#2cd90154e3a9d9dd8da2991149fdca3c260e129f"
   dependencies:
     fbjs "^0.8.16"
     loose-envify "^1.1.0"