CVE-2026-49485 (GCVE-0-2026-49485)

Vulnerability from cvelistv5 – Published: 2026-07-17 20:59 – Updated: 2026-07-17 20:59
VLAI
Title
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
Summary
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation, and the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules. This issue is fixed in versions 6.9.9 and 6.9.4.2.
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
hapifhir org.hl7.fhir.core Affected: < 6.9.4.2
Affected: >= 6.9.5, < 6.9.9
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "org.hl7.fhir.core",
          "vendor": "hapifhir",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.9.4.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.9.5, \u003c 6.9.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation, and the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java\u0027s Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules. This issue is fixed in versions 6.9.9 and 6.9.4.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-17T20:59:47.800Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-7cmj-v6x8-frvv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-7cmj-v6x8-frvv"
        },
        {
          "name": "https://github.com/hapifhir/org.hl7.fhir.core/pull/2463",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/pull/2463"
        },
        {
          "name": "https://github.com/hapifhir/org.hl7.fhir.core/commit/109c88837c032ef399b2eb87ddde86692065cf41",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/commit/109c88837c032ef399b2eb87ddde86692065cf41"
        },
        {
          "name": "https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed"
        },
        {
          "name": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.4.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.4.2"
        },
        {
          "name": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.9"
        }
      ],
      "source": {
        "advisory": "GHSA-7cmj-v6x8-frvv",
        "discovery": "UNKNOWN"
      },
      "title": "HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-49485",
    "datePublished": "2026-07-17T20:59:47.800Z",
    "dateReserved": "2026-05-30T04:17:43.095Z",
    "dateUpdated": "2026-07-17T20:59:47.800Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-49485",
      "date": "2026-07-18",
      "epss": "0.00675",
      "percentile": "0.48113"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-49485\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-07-17T22:17:16.893\",\"lastModified\":\"2026-07-17T22:17:16.893\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.9 and 6.9.4.2, all implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation, and the FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java\u0027s Pattern.compile() and String.replaceAll() through an incomplete timeout utility. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting CPU resources and causing denial of service in the FHIR Validator HTTP endpoint and affected org.hl7.fhir.* modules. This issue is fixed in versions 6.9.9 and 6.9.4.2.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"hapifhir\",\"product\":\"org.hl7.fhir.core\",\"versions\":[{\"version\":\"\u003c 6.9.4.2\",\"status\":\"affected\"},{\"version\":\"\u003e= 6.9.5, \u003c 6.9.9\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/hapifhir/org.hl7.fhir.core/commit/109c88837c032ef399b2eb87ddde86692065cf41\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hapifhir/org.hl7.fhir.core/commit/e08982d2b6f6dcd6c670a762d9cf999179fbe4ed\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hapifhir/org.hl7.fhir.core/pull/2463\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.4.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.9.9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-7cmj-v6x8-frvv\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…