Denial of Service Vulnerability in HAPI FHIR Product by HAPI FHIR
CVE-2026-49485
What is CVE-2026-49485?
The HAPI FHIR framework, which implements the HL7 FHIR standard for healthcare interoperability, is susceptible to a denial of service vulnerability due to inadequate input validation. This vulnerability arises from the FHIRPathEngine's acceptance of arbitrary FHIRPath expressions. Functions such as matches(), matchesFull(), and replaceMatches() process user-supplied regex patterns without strict validation, leading to potential CPU exhaustion caused by catastrophic backtracking. Attackers can exploit this flaw by sending crafted requests to the FHIR Validator HTTP endpoint, disrupting service availability. The issue has been addressed in versions 6.9.9 and 6.9.4.2.
Affected Version(s)
org.hl7.fhir.core < 6.9.4.2 < 6.9.4.2
org.hl7.fhir.core >= 6.9.5, < 6.9.9 < 6.9.5, 6.9.9
