CVE-2026-49485
Received Received - Intake

ReDoS Vulnerability in HAPI FHIR Java Implementation

Vulnerability report for CVE-2026-49485, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation, and the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules. This issue is fixed in versions 6.9.9 and 6.9.4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hapifhir hapi_fhir to 6.9.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects HAPI FHIR, a Java implementation of the HL7 FHIR standard for healthcare data exchange. It allows attackers to send malicious FHIRPath expressions containing evil regex patterns that cause catastrophic backtracking. This exhausts CPU resources and leads to denial of service in the FHIR Validator HTTP endpoint and related modules.

Detection Guidance

To detect this vulnerability, monitor for unusual CPU usage spikes in the FHIR Validator HTTP endpoint or affected org.hl7.fhir.* modules. Check for excessive resource consumption when processing FHIRPath expressions. No specific commands are provided in the context.

Impact Analysis

If you use HAPI FHIR versions before 6.9.9 or 6.9.4.2, an attacker could exploit this to crash your FHIR Validator service or other affected modules by sending specially crafted requests. This could disrupt healthcare data processing and availability.

Compliance Impact

This vulnerability could impact compliance by disrupting the availability of healthcare data processing systems. Denial of service conditions may lead to delays or failures in accessing critical patient data, potentially violating HIPAA's availability requirements and GDPR's data processing principles.

Mitigation Strategies

Upgrade to HAPI FHIR versions 6.9.9 or 6.9.4.2 or later to address the vulnerability. Disable or restrict access to the FHIR Validator HTTP endpoint if immediate upgrade is not possible. Monitor network traffic for malicious FHIRPath expressions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart