CVE-2026-45367
HIGH
7.5
CVSS 3.1
Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches(), matchesFull(), and replaceMatches() to Java regex operations without effective timeouts, allowing catastrophic backtracking and denial of service. This issue is fixed in version 6.9.7.
Metadata
Severity & Metrics
7.5
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| hapifhir | org.hl7.fhir.core | — | < 6.9.7 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-1333 | cna | CWE-1333: Inefficient Regular Expression Complexity |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.5 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57 https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57
- https://github.com/hapifhir/org.hl7.fhir.core/pull/2403 https://github.com/hapifhir/org.hl7.fhir.core/pull/2403
- https://github.com/hapifhir/org.hl7.fhir.core/pull/2463 https://github.com/hapifhir/org.hl7.fhir.core/pull/2463
- https://github.com/hapifhir/org.hl7.fhir.core/commit/275d015c680ce9f90cbe285596e50118e472bf24 https://github.com/hapifhir/org.hl7.fhir.core/commit/275d015c680ce9f90cbe285596e50118e472bf24
- https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed
- https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.7 https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.7