Skip to content

HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS

High severity GitHub Reviewed Published Jun 17, 2026 in hapifhir/org.hl7.fhir.core

Package

maven ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven)

Affected versions

<= 6.9.9

Patched versions

6.9.10
maven ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven)
<= 6.9.9
6.9.10
maven ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven)
<= 6.9.9
6.9.10
maven ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli (Maven)
<= 6.9.9
6.9.10

Description

Summary

The fix for CVE-2026-45367 added RegexTimeout protection to the matches() function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In org.hl7.fhir.dstu2, replaceMatches() was updated while matches() at line 2462 still calls the raw String.matches(sw) without any timeout, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU.

Details

Incomplete patch

Within the same file
(org.hl7.fhir.dstu2/utils/FHIRPathEngine.java), the two functions were
patched inconsistently:

Line 2226 — replaceMatches() — PATCHED:

result.add(new StringType(
    RegexTimeout.replaceAll(
        convertToString(focus.get(0)), regex, repl, regexTimeoutMillis)));

Line 2462 — matches() — NOT PATCHED:

result.add(new BooleanType(
    convertToString(focus.get(0)).matches(sw)));
// ↑ raw String.matches() — no RegexTimeout, no complexity check

DSTU3 line 2447 — matches() — PATCHED (for comparison):

result.add(new BooleanType(
    RegexTimeout.matches(st, sw, regexTimeoutMillis)));

Module-by-module status

Module matches() replaceMatches()
DSTU2 ❌ raw str.matches(sw) RegexTimeout.replaceAll()
DSTU2016MAY RegexTimeout.matches()
DSTU3 RegexTimeout.matches()
R4 RegexTimeout.matches()
R4B RegexTimeout.matches()
R5 RegexTimeout.matches()

PoC

Requirements: Java 17+, Maven 3.8+

pom.xml dependencies:

<dependency>
    <groupId>ca.uhn.hapi.fhir</groupId>
    <artifactId>org.hl7.fhir.utilities</artifactId>
    <version>6.9.7</version>
</dependency>

Test code (reproduces the exact behaviour of DSTU2 line 2462):

import org.hl7.fhir.utilities.regex.RegexTimeout;
import java.util.concurrent.*;

String regex = "((a|b){0,5}){20}";
String input = "a".repeat(25) + "c";    // no match → full backtracking

// ① Patched approach — RegexTimeout terminates at 500 ms
long t1 = System.currentTimeMillis();
try {
    RegexTimeout.matches(input, regex, 500);
} catch (TimeoutException e) {
    System.out.println("RegexTimeout blocked in " +
        (System.currentTimeMillis() - t1) + " ms");
}

// ② DSTU2 line 2462 — raw String.matches(), no timeout
long t2 = System.currentTimeMillis();
input.matches(regex);                   // equivalent to what FHIRPathEngine does
System.out.println("str.matches() ran for " +
    (System.currentTimeMillis() - t2) + " ms with no timeout");

Verified output (JDK 25.0.3, Linux):

RegexTimeout blocked in 508 ms      ← patched modules: attack stopped
str.matches() ran for 1410 ms       ← DSTU2: no timeout, CPU exhausted

The patched approach cuts off the evaluation at 508 ms. The unpatched DSTU2
code runs for 1410 ms on this input with no mechanism to stop it. Longer
inputs or more complex patterns produce proportionally worse results.

Impact

Vulnerability type: Regular Expression Denial of Service (ReDoS) causing CPU exhaustion and service disruption.

Who is impacted: Any application using the ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 module that evaluates user-supplied FHIRPath expressions — including the FHIR Validator HTTP endpoint, FHIR servers applying FHIRPath invariants from user-provided resources or profiles, and any system embedding FHIRPathEngine from the DSTU2 module. No authentication is required; an attacker needs only to submit a FHIR resource or FHIRPath expression whose matches() argument contains a catastrophically backtracking regular expression.

References

@dotasek dotasek published to hapifhir/org.hl7.fhir.core Jun 17, 2026
Published to the GitHub Advisory Database Jun 17, 2026
Reviewed Jun 17, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

Weaknesses

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Learn more on MITRE.

CVE ID

CVE-2026-55470

GHSA ID

GHSA-fxj4-p9xp-37v5

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.