HAPI FHIR Core CVE-2026-45367
HIGH
GHSA-3653-68v6-rq57
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (2 direct, 3 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (2 direct, 3 indirect)
- 6 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (3 direct, 3 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.r4 (2 direct, 3 indirect)
- 5 maven packages depend on ca.uhn.hapi.fhir:org.hl7.fhir.r4b (1 direct, 4 indirect)
Ecosystem-wide dependent count for version 6.9.7 and other introduced versions.
DescriptionNVD
Summary
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.
Details
The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:
Entry point 1 - FHIRPathEngine.java:5929 (R5 funcMatches):
private List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) {
String sw = convertToString(swb); // attacker-controlled regex pattern
// ...
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: no complexity check
Matcher m = p.matcher(st); // no timeout
boolean ok = m.find();Entry point 2 - FHIRPathEngine.java:5951 (R5 funcMatchesFull):
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: same pattern
Matcher m = p.matcher(st);
boolean ok = m.matches();Entry point 3 - FHIRPathEngine.java:5120 (R5 funcReplaceMatches):
result.add(new StringType(convertToString(focus.get(0))
.replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internallyThe same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.
Why this is exploitable:
- No timeout mechanism covers FHIRPath evaluation - the
ValidationTimeoutclass only protectsInstanceValidatoroperations, notevaluateFhirPath() - Java's
Pattern.compile()with a pattern like(a+)+$against input"aaaaaaaaaaaaaaaaaaaaaa!"causes exponential backtracking (O(2^n) time complexity)
Impact
- CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.
AnalysisAI
Regular expression denial-of-service (ReDoS) in HAPI FHIR's FHIRPathEngine allows remote unauthenticated attackers to exhaust CPU resources by submitting FHIR resources containing crafted FHIRPath expressions that invoke matches(), matchesFull(), or replaceMatches() with catastrophically backtracking regex patterns. Affected versions are org.hl7.fhir.* Maven artifacts at or below 6.9.6, with publicly available exploit code exists via the GitHub Security Advisory PoC (pattern (a+)+$ against a long string). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify and inventory all systems running org.hl7.fhir.* artifacts at version 6.9.6 or earlier and assess direct internet exposure. Within 7 days: Deploy input validation to reject FHIRPath expressions with catastrophic backtracking patterns and implement request rate-limiting on FHIR query endpoints. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today