HAPI FHIR Core CVE-2026-45367
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (2 direct, 3 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (2 direct, 3 indirect)
- 6 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (3 direct, 3 indirect)
- 10 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.r4 (2 direct, 8 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.r4b (1 direct, 4 indirect)
Ecosystem-wide dependent count for version 6.9.7 and other introduced versions.
DescriptionGitHub Advisory
Summary
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.
Details
The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:
Entry point 1 - FHIRPathEngine.java:5929 (R5 funcMatches):
private List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) {
String sw = convertToString(swb); // attacker-controlled regex pattern
// ...
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: no complexity check
Matcher m = p.matcher(st); // no timeout
boolean ok = m.find();Entry point 2 - FHIRPathEngine.java:5951 (R5 funcMatchesFull):
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: same pattern
Matcher m = p.matcher(st);
boolean ok = m.matches();Entry point 3 - FHIRPathEngine.java:5120 (R5 funcReplaceMatches):
result.add(new StringType(convertToString(focus.get(0))
.replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internallyThe same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.
Why this is exploitable:
- No timeout mechanism covers FHIRPath evaluation - the
ValidationTimeoutclass only protectsInstanceValidatoroperations, notevaluateFhirPath() - Java's
Pattern.compile()with a pattern like(a+)+$against input"aaaaaaaaaaaaaaaaaaaaaa!"causes exponential backtracking (O(2^n) time complexity)
Impact
- CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.
AnalysisAI
Regular expression denial-of-service (ReDoS) in HAPI FHIR's FHIRPathEngine allows remote unauthenticated attackers to exhaust CPU resources by submitting FHIR resources containing crafted FHIRPath expressions that invoke matches(), matchesFull(), or replaceMatches() with catastrophically backtracking regex patterns. Affected versions are org.hl7.fhir.* Maven artifacts at or below 6.9.6, with publicly available exploit code exists via the GitHub Security Advisory PoC (pattern (a+)+$ against a long string). CVSS 7.5 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified in the wild and no CISA KEV listing.
Technical ContextAI
HAPI FHIR is the reference Java implementation of the HL7 FHIR (Fast Healthcare Interoperability Resources) standard maintained by University Health Network, widely embedded in healthcare integration platforms, EHR back-ends, and FHIR validation services. The flaw resides in FHIRPathEngine, the evaluator for FHIRPath - a path-based navigation and extraction language used throughout FHIR for queries, validation invariants, and search parameters. The three vulnerable sinks (funcMatches at FHIRPathEngine.java:5929, funcMatchesFull at :5951, funcReplaceMatches at :5120) concatenate attacker-controlled strings into java.util.regex.Pattern.compile() and String.replaceAll() with no length, complexity, or execution-time guardrails. This is a textbook CWE-1333 (Inefficient Regular Expression Complexity): nested quantifiers like (a+)+$ trigger exponential backtracking in Java's NFA-based regex engine. The pre-existing ValidationTimeout safety net wraps InstanceValidator but does not cover evaluateFhirPath(), leaving every caller of the engine exposed. All FHIR version modules (dstu2, dstu2016may, dstu3, r4, r4b, r5, validation, validation.cli) share the defect.
RemediationAI
Vendor-released patch: upgrade all org.hl7.fhir.* Maven dependencies to version 6.9.7 or later as documented in GHSA-3653-68v6-rq57 (https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57). For environments that cannot patch immediately, compensating controls include disabling or restricting the FHIR Validator HTTP endpoint to authenticated, trusted clients only; rejecting incoming FHIR resources that contain FHIRPath expressions invoking matches(), matchesFull(), or replaceMatches() via a reverse-proxy WAF rule; capping request body size and per-request CPU time at an upstream gateway (note this may legitimately reject large valid bundles); and running validator workers in cgroup-limited containers so a hung worker can be reaped without taking down the host. None of these workarounds fully eliminate exploitability because FHIRPath is also evaluated implicitly during resource validation invariants, so upgrading is strongly preferred.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3653-68v6-rq57