HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint — CVE-2026-45367
GitHub · GitHub · CVE-2026-45367
CVE-2026-45367
GitHub
GitHub
high
7.5
Summary
## Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's `Pattern.compile()` and `String.replaceAll()` without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern…
Product
maven: ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 | maven: ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may | maven: ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 | maven: ca.uhn.hapi.fhir:org.hl7.fhir.r4 | maven: ca.uhn.hapi.fhir:org.hl7.fhir.r4b | maven: ca.uhn.hapi.fhir:org.hl7.fhir.r5 | maven: ca.uhn.hapi.fhir:org.hl7.fhir.validation | maven: ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.