CVE-2026-45367
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches(), matchesFull(), and replaceMatches() to Java regex operations without effective timeouts, allowing catastrophic backtracking and denial of service. This issue is fixed in version 6.9.7.
| CWE | CWE-1333 |
| Vendor | hapifhir |
| Product | org.hl7.fhir.core |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for hapifhir org.hl7.fhir.core
Be the first to know when new high vulnerabilities affecting hapifhir org.hl7.fhir.core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
hapifhir / org.hl7.fhir.core
< 6.9.7
References
github.com: https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57 github.com: https://github.com/hapifhir/org.hl7.fhir.core/pull/2403 github.com: https://github.com/hapifhir/org.hl7.fhir.core/pull/2463 github.com: https://github.com/hapifhir/org.hl7.fhir.core/commit/275d015c680ce9f90cbe285596e50118e472bf24 github.com: https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed github.com: https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.7