EXECUTIVE SUMMARY:
CVE-2026-45367 with a CVSS score of 7.5 is a ReDoS vulnerability in the HAPI FHIR FHIRPath engine, specifically affecting the matches(), matchesFull(), and replaceMatches() functions in FHIR Validator HTTP Endpoints. The affected products are maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu2, org.hl7.fhir.dstu2016may, org.hl7.fhir.dstu3, org.hl7.fhir.r4, org.hl7.fhir.r4b, org.hl7.fhir.r5, org.hl7.fhir.validation, and org.hl7.fhir.validation.cli, all with versions less than or equal to 6.9.6. An attacker can exploit this vulnerability by sending a resource containing a malicious regular expression that causes catastrophic backtracking, resulting in Denial-of-Service, by exhausting system resources on the FHIRPath engine. The attacker gains the capability to consume significant system resources, leading to CPU exhaustion and potential system crashes. If exploited, this vulnerability could have a significant business impact, including downtime, data loss, and revenue loss, particularly in healthcare and medical industries that rely heavily on FHIR-based systems. To exploit this vulnerability, an attacker requires access to the affected system and the ability to send malicious input to the FHIRPath engine.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45367 with a CVSS score of 7.5 is a ReDoS vulnerability in the HAPI FHIR FHIRPath engine, specifically affecting the matches(), matchesFull(), and replaceMatches() functions in FHIR Validator HTTP Endpoints. The affected products are maven/ca.uhn.hapi.fhir:org.hl7.fhir.dstu2, org.hl7.fhir.dstu2016may, org.hl7.fhir.dstu3, org.hl7.fhir.r4, org.hl7.fhir.r4b, org.hl7.fhir.r5, org.hl7.fhir.validation, and org.hl7.fhir.validation.cli, all with versions less than or equal to 6.9.6. An attacker can exploit this vulnerability by sending a resource containing a malicious regular expression that causes catastrophic backtracking, resulting in Denial-of-Service, by exhausting system resources on the FHIRPath engine. The attacker gains the capability to consume significant system resources, leading to CPU exhaustion and potential system crashes. If exploited, this vulnerability could have a significant business impact, including downtime, data loss, and revenue loss, particularly in healthcare and medical industries that rely heavily on FHIR-based systems. To exploit this vulnerability, an attacker requires access to the affected system and the ability to send malicious input to the FHIRPath engine.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3653-68v6-rq57