PT-2026-41778 · Maven+1 · Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2+14
Published
2026-05-18
·
Updated
2026-07-10
·
CVE-2026-45367
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
FHIRPathEngine (affected versions not specified)
Description
Implementations of FHIRPathEngine evaluate arbitrary FHIRPath expressions without input validation. The functions
matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. This allows an attacker to provide a malicious regex pattern that triggers catastrophic backtracking—a condition where the regex engine takes exponential time to determine if a string matches a pattern—leading to CPU exhaustion and Denial-of-Service.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2016May
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu3
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4B
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R5
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Validation
Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Validation.Cli
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu2016May
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Dstu3
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R4B
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.R5
Io.Root.Ca.Uhn.Hapi.Fhir:Org.Hl7.Fhir.Validation