CVE-2026-45367
HIGH
NVD
CVSS Score
7.5
Severity
HIGH
Published
Jul 16, 2026
Vendor
unknown
Description
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.7, the FHIRPathEngine implementation passes user-controlled regular expressions from matches(), matchesFull(), and replaceMatches() to Java regex operations without effective timeouts, allowing catastrophic backtracking and denial of service. This issue is fixed in version 6.9.7.
References
- https://github.com/hapifhir/org.hl7.fhir.core/commit/275d015c680ce9f90cbe285596e50118e472bf24
- https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed
- https://github.com/hapifhir/org.hl7.fhir.core/pull/2403
- https://github.com/hapifhir/org.hl7.fhir.core/pull/2463
- https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.7