CVE-2026-45367: HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

May 18, 2026

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java’s Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.

References

github.com/advisories/GHSA-3653-68v6-rq57
github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57
nvd.nist.gov/vuln/detail/CVE-2026-45367

Code Behaviors & Features

Detect and mitigate CVE-2026-45367 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →