CVE-2026-49485
hapifhir · org.hl7.fhir.core
HAPI FHIR is susceptible to uncontrolled resource consumption due to inefficient regular expression complexity, which can be triggered by unauthenticated attackers to cause a denial of service.
Executive summary
A high-severity denial of service vulnerability in HAPI FHIR allows attackers to exhaust system resources through complex regular expression processing.
Vulnerability
The library is vulnerable to inefficient regular expression complexity (CWE-1333) and uncontrolled resource consumption (CWE-400). This permits unauthenticated attackers to send specially crafted payloads that force the application to consume excessive CPU or memory.
Business impact
The vulnerability carries a CVSS score of 7.5, indicating a significant risk to service availability. Exploitation can lead to application crashes or severe performance degradation, effectively causing a denial of service for critical healthcare interoperability workflows.
Remediation
Immediate Action: Upgrade to version 6.9.4.2 or 6.9.9 to resolve the underlying regex inefficiency.
Proactive Monitoring: Monitor application CPU and memory utilization patterns for sudden, unexplained spikes that may indicate a resource exhaustion attack.
Compensating Controls: Implement input length limits and request timeouts at the gateway level to mitigate the impact of complex payload processing.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
System administrators must update the HAPI FHIR core library to the recommended versions immediately. Ensuring the library is patched is essential to maintaining the stability of FHIR-based services and preventing potential service outages.