Skip to main content

HAPI FHIR Core CVE-2026-45367

HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-18 https://github.com/hapifhir/org.hl7.fhir.core GHSA-3653-68v6-rq57
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:08 vuln.today
Analysis Generated
May 18, 2026 - 21:08 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (2 direct, 3 indirect)
  • 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (2 direct, 3 indirect)
  • 6 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (3 direct, 3 indirect)
  • 10 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.r4 (2 direct, 8 indirect)
  • 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.r4b (1 direct, 4 indirect)

Ecosystem-wide dependent count for version 6.9.7 and other introduced versions.

DescriptionGitHub Advisory

Summary

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.

Details

The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:

Entry point 1 - FHIRPathEngine.java:5929 (R5 funcMatches):

java
private List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) {
    String sw = convertToString(swb); // attacker-controlled regex pattern
    // ...
    Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: no complexity check
    Matcher m = p.matcher(st);                // no timeout
    boolean ok = m.find();

Entry point 2 - FHIRPathEngine.java:5951 (R5 funcMatchesFull):

java
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: same pattern
Matcher m = p.matcher(st);
boolean ok = m.matches();

Entry point 3 - FHIRPathEngine.java:5120 (R5 funcReplaceMatches):

java
result.add(new StringType(convertToString(focus.get(0))
    .replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally

The same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.

Why this is exploitable:

  • No timeout mechanism covers FHIRPath evaluation - the ValidationTimeout class only protects InstanceValidator operations, not evaluateFhirPath()
  • Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity)

Impact

  • CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.

AnalysisAI

Regular expression denial-of-service (ReDoS) in HAPI FHIR's FHIRPathEngine allows remote unauthenticated attackers to exhaust CPU resources by submitting FHIR resources containing crafted FHIRPath expressions that invoke matches(), matchesFull(), or replaceMatches() with catastrophically backtracking regex patterns. Affected versions are org.hl7.fhir.* Maven artifacts at or below 6.9.6, with publicly available exploit code exists via the GitHub Security Advisory PoC (pattern (a+)+$ against a long string). CVSS 7.5 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified in the wild and no CISA KEV listing.

Technical ContextAI

HAPI FHIR is the reference Java implementation of the HL7 FHIR (Fast Healthcare Interoperability Resources) standard maintained by University Health Network, widely embedded in healthcare integration platforms, EHR back-ends, and FHIR validation services. The flaw resides in FHIRPathEngine, the evaluator for FHIRPath - a path-based navigation and extraction language used throughout FHIR for queries, validation invariants, and search parameters. The three vulnerable sinks (funcMatches at FHIRPathEngine.java:5929, funcMatchesFull at :5951, funcReplaceMatches at :5120) concatenate attacker-controlled strings into java.util.regex.Pattern.compile() and String.replaceAll() with no length, complexity, or execution-time guardrails. This is a textbook CWE-1333 (Inefficient Regular Expression Complexity): nested quantifiers like (a+)+$ trigger exponential backtracking in Java's NFA-based regex engine. The pre-existing ValidationTimeout safety net wraps InstanceValidator but does not cover evaluateFhirPath(), leaving every caller of the engine exposed. All FHIR version modules (dstu2, dstu2016may, dstu3, r4, r4b, r5, validation, validation.cli) share the defect.

RemediationAI

Vendor-released patch: upgrade all org.hl7.fhir.* Maven dependencies to version 6.9.7 or later as documented in GHSA-3653-68v6-rq57 (https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57). For environments that cannot patch immediately, compensating controls include disabling or restricting the FHIR Validator HTTP endpoint to authenticated, trusted clients only; rejecting incoming FHIR resources that contain FHIRPath expressions invoking matches(), matchesFull(), or replaceMatches() via a reverse-proxy WAF rule; capping request body size and per-request CPU time at an upstream gateway (note this may legitimately reject large valid bundles); and running validator workers in cgroup-limited containers so a hung worker can be reaped without taking down the host. None of these workarounds fully eliminate exploitability because FHIRPath is also evaluated implicitly during resource validation invariants, so upgrading is strongly preferred.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-45367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy