CVE-2026-55470 PUBLISHED

HAPI FHIR: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 08.07.2026 Updated: 09.07.2026

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches() in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matches(sw) without RegexTimeout protection while replaceMatches() was updated, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU. This issue is fixed in version 6.9.10.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor hapifhir
Product org.hl7.fhir.core
Versions
  • Version < 6.9.10 is affected

References

Problem Types

  • CWE-1333: Inefficient Regular Expression Complexity CWE