GHSA-fxj4-p9xp-37v5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fxj4-p9xp-37v5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-fxj4-p9xp-37v5/GHSA-fxj4-p9xp-37v5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fxj4-p9xp-37v5
- Aliases
-
- CVE-2026-55470
- Published
- 2026-06-17T18:47:23Z
- Modified
- 2026-06-17T19:00:18.603185695Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS
- Details
-
Summary
The fix for CVE-2026-45367 added
RegexTimeoutprotection to thematches()function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. Inorg.hl7.fhir.dstu2,replaceMatches()was updated whilematches()at line 2462 still calls the rawString.matches(sw)without any timeout, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU.Details
Incomplete patch
Within the same file (
org.hl7.fhir.dstu2/utils/FHIRPathEngine.java), the two functions were patched inconsistently:Line 2226 — replaceMatches() — PATCHED:
result.add(new StringType( RegexTimeout.replaceAll( convertToString(focus.get(0)), regex, repl, regexTimeoutMillis)));Line 2462 — matches() — NOT PATCHED:
result.add(new BooleanType( convertToString(focus.get(0)).matches(sw))); // ↑ raw String.matches() — no RegexTimeout, no complexity checkDSTU3 line 2447 — matches() — PATCHED (for comparison):
result.add(new BooleanType( RegexTimeout.matches(st, sw, regexTimeoutMillis)));Module-by-module status
| Module |
matches()|replaceMatches()| |---|---|---| | DSTU2 | ❌ rawstr.matches(sw)| ✅RegexTimeout.replaceAll()| | DSTU2016MAY | ✅RegexTimeout.matches()| ✅ | | DSTU3 | ✅RegexTimeout.matches()| ✅ | | R4 | ✅RegexTimeout.matches()| ✅ | | R4B | ✅RegexTimeout.matches()| ✅ | | R5 | ✅RegexTimeout.matches()| ✅ |PoC
Requirements: Java 17+, Maven 3.8+
pom.xml dependencies:
<dependency> <groupId>ca.uhn.hapi.fhir</groupId> <artifactId>org.hl7.fhir.utilities</artifactId> <version>6.9.7</version> </dependency>Test code (reproduces the exact behaviour of DSTU2 line 2462):
import org.hl7.fhir.utilities.regex.RegexTimeout; import java.util.concurrent.*; String regex = "((a|b){0,5}){20}"; String input = "a".repeat(25) + "c"; // no match → full backtracking // ① Patched approach — RegexTimeout terminates at 500 ms long t1 = System.currentTimeMillis(); try { RegexTimeout.matches(input, regex, 500); } catch (TimeoutException e) { System.out.println("RegexTimeout blocked in " + (System.currentTimeMillis() - t1) + " ms"); } // ② DSTU2 line 2462 — raw String.matches(), no timeout long t2 = System.currentTimeMillis(); input.matches(regex); // equivalent to what FHIRPathEngine does System.out.println("str.matches() ran for " + (System.currentTimeMillis() - t2) + " ms with no timeout");Verified output (JDK 25.0.3, Linux):
RegexTimeout blocked in 508 ms ← patched modules: attack stopped str.matches() ran for 1410 ms ← DSTU2: no timeout, CPU exhaustedThe patched approach cuts off the evaluation at 508 ms. The unpatched DSTU2 code runs for 1410 ms on this input with no mechanism to stop it. Longer inputs or more complex patterns produce proportionally worse results.
Impact
Vulnerability type: Regular Expression Denial of Service (ReDoS) causing CPU exhaustion and service disruption.
Who is impacted: Any application using the
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2module that evaluates user-supplied FHIRPath expressions — including the FHIR Validator HTTP endpoint, FHIR servers applying FHIRPath invariants from user-provided resources or profiles, and any system embeddingFHIRPathEnginefrom the DSTU2 module. No authentication is required; an attacker needs only to submit a FHIR resource or FHIRPath expression whosematches()argument contains a catastrophically backtracking regular expression. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-17T18:47:23Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-1333" ] }- References
Affected packages
Maven
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.dstu2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.9.10
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
5.6.106
5.6.107
5.6.108
5.6.109
5.6.110
5.6.111
5.6.112
5.6.113
5.6.114
5.6.115
5.6.116
5.6.117
5.6.881
5.6.971
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.0.10
6.0.11
6.0.12
6.0.13
6.0.14
6.0.15
6.0.16
6.0.17
6.0.18
6.0.19
6.0.20
6.0.21
6.0.22
6.0.22.1
6.0.22.2
6.0.23
6.0.24
6.0.25
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.2.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.1.10
6.1.11
6.1.12
6.1.13
6.1.14
6.1.15
6.1.16
6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.6.1
6.2.7
6.2.8
6.2.9
6.2.10
6.2.11
6.2.12
6.2.13
6.2.14
6.2.15
6.3.0
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10
6.3.11
6.3.12
6.3.13
6.3.14
6.3.15
6.3.16
6.3.17
6.3.18
6.3.19
6.3.20
6.3.21
6.3.22
6.3.23
6.3.24
6.3.25
6.3.26
6.3.27
6.3.28
6.3.29
6.3.30
6.3.31
6.3.32
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9
6.5.10
6.5.11
6.5.12
6.5.13
6.5.14
6.5.15
6.5.16
6.5.17
6.5.18
6.5.18.1
6.5.19
6.5.20
6.5.21
6.5.22
6.5.23
6.5.24
6.5.25
6.5.26
6.5.27
6.5.28
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
6.6.7
6.7.0
6.7.1
6.7.2
6.7.3
6.7.4
6.7.5
6.7.6
6.7.7
6.7.8
6.7.9
6.7.10
6.7.11
6.8.0
6.8.1
6.8.2
6.9.0
6.9.1
6.9.2
6.9.3
6.9.4
6.9.4.1
6.9.4.2
6.9.5
6.9.6
6.9.7
6.9.8
6.9.9
ca.uhn.hapi.fhir:org.hl7.fhir.convertors
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.convertors
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.convertors
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.9.10
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
5.6.106
5.6.107
5.6.108
5.6.109
5.6.110
5.6.111
5.6.112
5.6.113
5.6.114
5.6.115
5.6.116
5.6.117
5.6.881
5.6.971
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.0.10
6.0.11
6.0.12
6.0.13
6.0.14
6.0.15
6.0.16
6.0.17
6.0.18
6.0.19
6.0.20
6.0.21
6.0.22
6.0.22.1
6.0.22.2
6.0.23
6.0.24
6.0.25
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.2.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.1.10
6.1.11
6.1.12
6.1.13
6.1.14
6.1.15
6.1.16
6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.6.1
6.2.7
6.2.8
6.2.9
6.2.10
6.2.11
6.2.12
6.2.13
6.2.14
6.2.15
6.3.0
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10
6.3.11
6.3.12
6.3.13
6.3.14
6.3.15
6.3.16
6.3.17
6.3.18
6.3.19
6.3.20
6.3.21
6.3.22
6.3.23
6.3.24
6.3.25
6.3.26
6.3.27
6.3.28
6.3.29
6.3.30
6.3.31
6.3.32
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9
6.5.10
6.5.11
6.5.12
6.5.13
6.5.14
6.5.15
6.5.16
6.5.17
6.5.18
6.5.18.1
6.5.19
6.5.20
6.5.21
6.5.22
6.5.23
6.5.24
6.5.25
6.5.26
6.5.27
6.5.28
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
6.6.7
6.7.0
6.7.1
6.7.2
6.7.3
6.7.4
6.7.5
6.7.6
6.7.7
6.7.8
6.7.9
6.7.10
6.7.11
6.8.0
6.8.1
6.8.2
6.9.0
6.9.1
6.9.2
6.9.3
6.9.4
6.9.4.1
6.9.4.2
6.9.5
6.9.6
6.9.7
6.9.8
6.9.9
ca.uhn.hapi.fhir:org.hl7.fhir.validation
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.validation
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.validation
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.9.10
Affected versions
0.*
0.0.1
0.0.2
0.0.14
0.1.18
1.*
1.0.0
1.1.67
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.2.0
5.*
5.0.0
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.13
5.1.14
5.1.15
5.1.16
5.1.17
5.1.18
5.1.19
5.1.20
5.1.21
5.1.22
5.2.0
5.2.1
5.2.3
5.2.4
5.2.5
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.2.16
5.2.18
5.2.19
5.2.20
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.14
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.4.9
5.4.10
5.4.11
5.4.12
5.5.1
5.5.2
5.5.3
5.5.4
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.9
5.6.12
5.6.13
5.6.15
5.6.17
5.6.18
5.6.19
5.6.20
5.6.21
5.6.22
5.6.23
5.6.24
5.6.25
5.6.26
5.6.27
5.6.28
5.6.29
5.6.30
5.6.31
5.6.32
5.6.33
5.6.34
5.6.35
5.6.36
5.6.37
5.6.38
5.6.39
5.6.40
5.6.41
5.6.42
5.6.43
5.6.44
5.6.45
5.6.46
5.6.47
5.6.48
5.6.50
5.6.51
5.6.52
5.6.53
5.6.54
5.6.55
5.6.56
5.6.57
5.6.58
5.6.59
5.6.60
5.6.61
5.6.62
5.6.63
5.6.64
5.6.65
5.6.66
5.6.67
5.6.68
5.6.69
5.6.70
5.6.71
5.6.72
5.6.73
5.6.74
5.6.75
5.6.76
5.6.77
5.6.78
5.6.79
5.6.80
5.6.81
5.6.82
5.6.83
5.6.84
5.6.85
5.6.86
5.6.87
5.6.88
5.6.89
5.6.90
5.6.91
5.6.92
5.6.93
5.6.94
5.6.95
5.6.96
5.6.97
5.6.98
5.6.99
5.6.100
5.6.101
5.6.102
5.6.103
5.6.104
5.6.105
5.6.106
5.6.107
5.6.108
5.6.109
5.6.110
5.6.111
5.6.112
5.6.113
5.6.114
5.6.115
5.6.116
5.6.117
5.6.881
5.6.971
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.0.10
6.0.11
6.0.12
6.0.13
6.0.14
6.0.15
6.0.16
6.0.17
6.0.18
6.0.19
6.0.20
6.0.21
6.0.22
6.0.22.1
6.0.22.2
6.0.23
6.0.24
6.0.25
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.2.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.1.10
6.1.11
6.1.12
6.1.13
6.1.14
6.1.15
6.1.16
6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.6.1
6.2.7
6.2.8
6.2.9
6.2.10
6.2.11
6.2.12
6.2.13
6.2.14
6.2.15
6.3.0
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10
6.3.11
6.3.12
6.3.13
6.3.14
6.3.15
6.3.16
6.3.17
6.3.18
6.3.19
6.3.20
6.3.21
6.3.22
6.3.23
6.3.24
6.3.25
6.3.26
6.3.27
6.3.28
6.3.29
6.3.30
6.3.31
6.3.32
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9
6.5.10
6.5.11
6.5.12
6.5.13
6.5.14
6.5.15
6.5.16
6.5.17
6.5.18
6.5.18.1
6.5.19
6.5.20
6.5.21
6.5.22
6.5.23
6.5.24
6.5.25
6.5.26
6.5.27
6.5.28
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
6.6.7
6.7.0
6.7.1
6.7.2
6.7.3
6.7.4
6.7.5
6.7.6
6.7.7
6.7.8
6.7.9
6.7.10
6.7.11
6.8.0
6.8.1
6.8.2
6.9.0
6.9.1
6.9.2
6.9.3
6.9.4
6.9.4.1
6.9.4.2
6.9.5
6.9.6
6.9.7
6.9.8
6.9.9
ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli
Package
- Name
- ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli
- View open source insights on deps.dev
- Purl
- pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.validation.cli