Regex Backtracking Flaw in HAPI FHIR Implementation from HAPI FHIR
CVE-2026-55470
7.5HIGH
What is CVE-2026-55470?
An unauthenticated attacker can exploit a regex backtracking flaw in the HAPI FHIR library in versions prior to 6.9.10. The flaw allows attackers to trigger excessive CPU usage through the FHIRPathEngine.matches() function in the DSTU2 module, jeopardizing server performance. The vulnerability was previously addressed in a partial fix for CVE-2026-45367, but the raw String.matches() method lacks RegexTimeout protection, amplifying the risk. Users are advised to upgrade to version 6.9.10 or later to mitigate this issue.
Affected Version(s)
org.hl7.fhir.core < 6.9.10
