CVE-2026-49485 in FHIRinfo

Summary

by MITRE • 07/17/2026

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation, and the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules. This issue is fixed in versions 6.9.9 and 6.9.4.2.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The HAPI FHIR library represents a comprehensive Java implementation of the HL7 FHIR standard, designed to facilitate healthcare data interoperability across diverse medical systems. This widely adopted framework enables organizations to exchange clinical information using standardized formats while maintaining compatibility with various healthcare IT infrastructures. The vulnerability affects multiple versions of the FHIRPathEngine component that processes FHIRPath expressions for data querying and validation within the healthcare ecosystem.

The core technical flaw resides in the insufficient input validation mechanisms within the FHIRPathEngine implementation where arbitrary FHIRPath expressions are accepted and evaluated without proper sanitization or restriction. This vulnerability specifically impacts three critical functions: matches(), matchesFull(), and replaceMatches() which directly interface with Java's native regular expression processing capabilities through Pattern.compile() and String.replaceAll() methods. The incomplete timeout utility fails to adequately protect against malicious regex patterns that exploit catastrophic backtracking behaviors.

The operational impact of this vulnerability manifests as a severe denial-of-service condition affecting the FHIR Validator HTTP endpoint and all affected org.hl7.fhir.* modules. Attackers can craft specially designed regex patterns that trigger exponential backtracking in Java's regular expression engine, consuming excessive CPU resources and ultimately rendering the system unavailable to legitimate users. This exploitation technique leverages known weaknesses in regex processing where certain pattern combinations cause the engine to explore exponentially growing numbers of execution paths, leading to system resource exhaustion.

This vulnerability aligns with CWE-400, which specifically addresses "Uncontrolled Resource Consumption" in software systems, and demonstrates a classic example of how insufficient input validation can create dangerous attack vectors. The issue also maps to ATT&CK technique T1499.004, "Toggle File System Filter," as it represents an indirect method of system disruption through resource exhaustion rather than direct file system manipulation. Organizations utilizing vulnerable versions face significant operational risks including service unavailability, data processing delays, and potential compromise of critical healthcare workflows that depend on seamless FHIR interoperability.

The fix implemented in versions 6.9.9 and 6.9.4.2 addresses the core issue by introducing proper input validation for FHIRPath expressions and implementing robust timeout mechanisms around regex processing operations. These updates ensure that user-controlled regular expressions undergo appropriate sanitization and resource limitation before execution, preventing malicious patterns from causing system-wide denial-of-service conditions while maintaining the legitimate functionality of the FHIRPath engine.

Responsible

GitHub M

Reservation

05/30/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!