HAPI FHIR, ReDoS, CVE-2026-45367 (High)

Listen to this Post

All FHIRPathEngine implementations accept arbitrary FHIRPath expressions without validation. The matches(), matchesFull(), and `replaceMatches()` functions pass user‑controlled regex patterns directly to Java’s `Pattern.compile()` and String.replaceAll(), with no complexity checks or timeouts. An attacker supplies a resource containing a malicious regex, such as (a+)+$, together with a long input string like "aaaaaaaaaaaaaaaaaaaaaa!". Java’s regex engine enters catastrophic backtracking, leading to exponential time complexity O(2ⁿ). The three vulnerable code locations are in the `org.hl7.fhir.r5` module:
– `FHIRPathEngine.java:5929` (funcMatches)
– `FHIRPathEngine.java:5951` (funcMatchesFull)
– `FHIRPathEngine.java:5120` (funcReplaceMatches)
The same issue affects the DSTU2, DSTU2016May, DSTU3, R4, and R4B modules. The `ValidationTimeout` class protects only `InstanceValidator` operations, not evaluateFhirPath(), so no timeout covers FHIRPath evaluation. By sending a crafted expression, an attacker can force the server to consume 100% of a CPU core indefinitely, causing a complete denial‑of‑service for all FHIRPathEngine callers.

dailycve form:

Platform: HAPI FHIR / HL7 FHIR Core
Version: ≤ 6.9.6
Vulnerability: ReDoS
Severity: High
date: 2026‑05‑18

Prediction: 6.9.7 expected

What Undercode Say:

Simulate a regex that triggers catastrophic backtracking
echo "aaaaaaaaaaaaaaaaaaaaaa!" | grep -E '(a+)+$'
Check FHIRPathEngine version in a running HAPI FHIR instance
curl -s https://your-fhir-server/base/metadata | jq '.software.version'
Monitor CPU usage before sending a malicious FHIRPath expression
top -b -n 1 | grep -E "Cpu(s)"
Send a malicious FHIR resource (example using curl)
curl -X POST https://your-fhir-server/fhir/Patient \
-H "Content-Type: application/fhir+json" \
-d '{"resourceType":"Patient","name":[{"text":"$(matches('\''^(a+)+$'\'', '\''aaaaaaaaaaaaaaaaaaaaaa!'\'')"}]}'
Watch a single core become saturated after the request
mpstat -P ALL 1

How Exploit:

  1. Craft a malicious FHIRPath expression containing a vulnerable regex, e.g. (a+)+$, and a long input string, e.g. 30+ `”a”` characters followed by a "!".
  2. Embed the expression in a FHIR resource submitted to any endpoint that invokes the FHIRPathEngine (e.g., a `Patient` resource with a `text` field containing the expression).
  3. Send the resource to the FHIR server. The server will parse the resource and evaluate the FHIRPath expression.
  4. The regex engine enters catastrophic backtracking, consuming 100% CPU and hanging the server thread indefinitely.
  5. Repeat with multiple threads to exhaust all CPU cores, causing a full DoS of the FHIR server.

Protection from this CVE:

  • Upgrade to HAPI FHIR version 6.9.7 or later, which fixes the regex handling in all affected modules.
  • Apply a workaround by disabling the vulnerable FHIRPath functions (matches(), matchesFull(), replaceMatches()) via a custom validator configuration, if upgrading is not immediately possible.
  • Implement a reverse proxy (e.g., Nginx, HAProxy) with request size limits and timeouts to drop suspiciously large or long‑running requests before they reach the FHIR engine.
  • Monitor CPU usage and set up alerts for sudden core saturation to quickly detect a possible ReDoS attack.

Impact

  • CPU Exhaustion – The exponential backtracking locks one CPU core per attack request; multiple requests can consume all available cores, freezing the server.
  • Denial‑of‑Service (DoS) – All FHIR operations that rely on FHIRPathEngine (including validation, resource processing, and search) become unresponsive, halting healthcare data exchange.
  • No Authentication Required – The vulnerability is exploitable by any party that can submit a FHIR resource to the server, making it an unauthenticated DoS vector.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top