PT-2026-41778 · Maven+1 · Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2+14

Published

2026-05-18

·

Updated

2026-07-10

·

CVE-2026-45367

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions FHIRPathEngine (affected versions not specified)
Description Implementations of FHIRPathEngine evaluate arbitrary FHIRPath expressions without input validation. The functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. This allows an attacker to provide a malicious regex pattern that triggers catastrophic backtracking—a condition where the regex engine takes exponential time to determine if a string matches a pattern—leading to CPU exhaustion and Denial-of-Service.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45367
GHSA-3653-68V6-RQ57

Affected Products

Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2016May
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu3
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4B
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R5
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Validation
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Validation.Cli
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2016May
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu3
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4B
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R5
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Validation