VYPR
← All advisories
High severity7.5GHSA Advisory· Published May 18, 2026· Updated May 18, 2026

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

CVE-2026-45367

Description

Summary

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.

Details

The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:

**Entry point 1 — FHIRPathEngine.java:5929 (R5 funcMatches):** ``java private List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) { String sw = convertToString(swb); // attacker-controlled regex pattern // ... Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: no complexity check Matcher m = p.matcher(st); // no timeout boolean ok = m.find(); ``

**Entry point 2 — FHIRPathEngine.java:5951 (R5 funcMatchesFull):** ``java Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: same pattern Matcher m = p.matcher(st); boolean ok = m.matches(); ``

**Entry point 3 — FHIRPathEngine.java:5120 (R5 funcReplaceMatches):** ``java result.add(new StringType(convertToString(focus.get(0)) .replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally ``

The same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.

Why this is exploitable: - No timeout mechanism covers FHIRPath evaluation — the ValidationTimeout class only protects InstanceValidator operations, not evaluateFhirPath() - Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity)

Impact

  • CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FHIRPathEngine's matches() and replaceMatches() functions in HL7 FHIR libraries are vulnerable to ReDoS via crafted regex patterns, leading to CPU exhaustion and denial-of-service.

Vulnerability

Overview

CVE-2026-45367 is a ReDoS (Regular Expression Denial-of-Service) vulnerability in FHIRPathEngine implementations across multiple HL7 FHIR library modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() accept user-controlled regular expression patterns without input validation. The patterns are passed directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts, enabling attackers to craft regex patterns that trigger catastrophic backtracking, consuming excessive CPU resources [1][2].

Exploitation

Conditions

The vulnerability can be exploited remotely without authentication. An attacker sends a FHIR resource containing a malicious FHIRPath expression that uses one of the vulnerable functions with an evil regex pattern, such as (a+)+$ against input like "aaaaaaaaaaaaaaaaaaaaaa!". This causes exponential backtracking (O(2^n) time complexity) during pattern matching. The FHIRPath evaluation does not have a timeout mechanism; the ValidationTimeout class only protects InstanceValidator operations, not evaluateFhirPath() [1].

Impact

Successful exploitation leads to CPU exhaustion, making the FHIR validator or any service using the vulnerable FHIRPathEngine unresponsive, resulting in denial-of-service. The attacker can disrupt operations of FHIR servers, validation endpoints, or any system processing untrusted FHIRPath expressions [1][2].

Mitigation

As of the advisory date, patches are available from the HL7 FHIR core project. Users should update to the fixed versions. Workarounds may include applying input validation to FHIRPath expressions, restricting access to vulnerable endpoints, or using external firewalls to filter malicious patterns. The vulnerability affects modules dstu2, dstu2016may, dstu3, r4, r4b, and r5 [1][2].

References
  1. CVE-2026-45367 - GitHub Advisory Database
  2. ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.