Listen to this Post
All FHIRPathEngine implementations accept arbitrary FHIRPath expressions without validation. The matches(), matchesFull(), and `replaceMatches()` functions pass user‑controlled regex patterns directly to Java’s `Pattern.compile()` and String.replaceAll(), with no complexity checks or timeouts. An attacker supplies a resource containing a malicious regex, such as (a+)+$, together with a long input string like "aaaaaaaaaaaaaaaaaaaaaa!". Java’s regex engine enters catastrophic backtracking, leading to exponential time complexity O(2ⁿ). The three vulnerable code locations are in the `org.hl7.fhir.r5` module:
– `FHIRPathEngine.java:5929` (funcMatches)
– `FHIRPathEngine.java:5951` (funcMatchesFull)
– `FHIRPathEngine.java:5120` (funcReplaceMatches)
The same issue affects the DSTU2, DSTU2016May, DSTU3, R4, and R4B modules. The `ValidationTimeout` class protects only `InstanceValidator` operations, not evaluateFhirPath(), so no timeout covers FHIRPath evaluation. By sending a crafted expression, an attacker can force the server to consume 100% of a CPU core indefinitely, causing a complete denial‑of‑service for all FHIRPathEngine callers.
dailycve form:
Platform: HAPI FHIR / HL7 FHIR Core
Version: ≤ 6.9.6
Vulnerability: ReDoS
Severity: High
date: 2026‑05‑18
Prediction: 6.9.7 expected
What Undercode Say:
Simulate a regex that triggers catastrophic backtracking
echo "aaaaaaaaaaaaaaaaaaaaaa!" | grep -E '(a+)+$'
Check FHIRPathEngine version in a running HAPI FHIR instance
curl -s https://your-fhir-server/base/metadata | jq '.software.version'
Monitor CPU usage before sending a malicious FHIRPath expression
top -b -n 1 | grep -E "Cpu(s)"
Send a malicious FHIR resource (example using curl)
curl -X POST https://your-fhir-server/fhir/Patient \
-H "Content-Type: application/fhir+json" \
-d '{"resourceType":"Patient","name":[{"text":"$(matches('\''^(a+)+$'\'', '\''aaaaaaaaaaaaaaaaaaaaaa!'\'')"}]}'
Watch a single core become saturated after the request
mpstat -P ALL 1
How Exploit:
- Craft a malicious FHIRPath expression containing a vulnerable regex, e.g.
(a+)+$, and a long input string, e.g. 30+ `”a”` characters followed by a"!". - Embed the expression in a FHIR resource submitted to any endpoint that invokes the FHIRPathEngine (e.g., a `Patient` resource with a `text` field containing the expression).
- Send the resource to the FHIR server. The server will parse the resource and evaluate the FHIRPath expression.
- The regex engine enters catastrophic backtracking, consuming 100% CPU and hanging the server thread indefinitely.
- Repeat with multiple threads to exhaust all CPU cores, causing a full DoS of the FHIR server.
Protection from this CVE:
- Upgrade to HAPI FHIR version 6.9.7 or later, which fixes the regex handling in all affected modules.
- Apply a workaround by disabling the vulnerable FHIRPath functions (
matches(),matchesFull(),replaceMatches()) via a custom validator configuration, if upgrading is not immediately possible. - Implement a reverse proxy (e.g., Nginx, HAProxy) with request size limits and timeouts to drop suspiciously large or long‑running requests before they reach the FHIR engine.
- Monitor CPU usage and set up alerts for sudden core saturation to quickly detect a possible ReDoS attack.
Impact
- CPU Exhaustion – The exponential backtracking locks one CPU core per attack request; multiple requests can consume all available cores, freezing the server.
- Denial‑of‑Service (DoS) – All FHIR operations that rely on FHIRPathEngine (including validation, resource processing, and search) become unresponsive, halting healthcare data exchange.
- No Authentication Required – The vulnerability is exploitable by any party that can submit a FHIR resource to the server, making it an unauthenticated DoS vector.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

