CVE-2026-49485

hapifhir · org.hl7.fhir.core

HAPI FHIR is susceptible to uncontrolled resource consumption due to inefficient regular expression complexity, which can be triggered by unauthenticated attackers to cause a denial of service.

Executive summary

A high-severity denial of service vulnerability in HAPI FHIR allows attackers to exhaust system resources through complex regular expression processing.

Vulnerability

The library is vulnerable to inefficient regular expression complexity (CWE-1333) and uncontrolled resource consumption (CWE-400). This permits unauthenticated attackers to send specially crafted payloads that force the application to consume excessive CPU or memory.

Business impact

The vulnerability carries a CVSS score of 7.5, indicating a significant risk to service availability. Exploitation can lead to application crashes or severe performance degradation, effectively causing a denial of service for critical healthcare interoperability workflows.

Remediation

Immediate Action: Upgrade to version 6.9.4.2 or 6.9.9 to resolve the underlying regex inefficiency.

Proactive Monitoring: Monitor application CPU and memory utilization patterns for sudden, unexplained spikes that may indicate a resource exhaustion attack.

Compensating Controls: Implement input length limits and request timeouts at the gateway level to mitigate the impact of complex payload processing.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

System administrators must update the HAPI FHIR core library to the recommended versions immediately. Ensuring the library is patched is essential to maintaining the stability of FHIR-based services and preventing potential service outages.