Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/515224?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/515224?format=api", "purl": "pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may@6.9.6", "type": "maven", "namespace": "ca.uhn.hapi.fhir", "name": "org.hl7.fhir.dstu2016may", "version": "6.9.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.9.7", "latest_non_vulnerable_version": "6.9.7", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94814?format=api", "vulnerability_id": "VCID-bkfw-fpag-hybj", "summary": "HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint\n## Summary\n\nAll implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's `Pattern.compile()` and `String.replaceAll()` without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.\n\n## Details\n\nThe vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:\n\n\n**Entry point 1 — `FHIRPathEngine.java:5929` (R5 `funcMatches`):**\n```java\nprivate List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) {\n String sw = convertToString(swb); // attacker-controlled regex pattern\n // ...\n Pattern p = Pattern.compile(\"(?s)\" + sw); // VULNERABLE: no complexity check\n Matcher m = p.matcher(st); // no timeout\n boolean ok = m.find();\n```\n\n**Entry point 2 — `FHIRPathEngine.java:5951` (R5 `funcMatchesFull`):**\n```java\nPattern p = Pattern.compile(\"(?s)\" + sw); // VULNERABLE: same pattern\nMatcher m = p.matcher(st);\nboolean ok = m.matches();\n```\n\n**Entry point 3 — `FHIRPathEngine.java:5120` (R5 `funcReplaceMatches`):**\n```java\nresult.add(new StringType(convertToString(focus.get(0))\n .replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally\n```\n\nThe same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.\n\n**Why this is exploitable:**\n- No timeout mechanism covers FHIRPath evaluation — the `ValidationTimeout` class only protects `InstanceValidator` operations, not `evaluateFhirPath()`\n- Java's `Pattern.compile()` with a pattern like `(a+)+$` against input `\"aaaaaaaaaaaaaaaaaaaaaa!\"` causes exponential backtracking (O(2^n) time complexity)\n\n\n## Impact\n\n- **CPU Exhaustion:** The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.", "references": [ { "reference_url": "https://github.com/hapifhir/org.hl7.fhir.core", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hapifhir/org.hl7.fhir.core" }, { "reference_url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57" }, { "reference_url": "https://github.com/advisories/GHSA-3653-68v6-rq57", "reference_id": "GHSA-3653-68v6-rq57", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3653-68v6-rq57" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/118025?format=api", "purl": "pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may@6.9.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may@6.9.7" } ], "aliases": [ "CVE-2026-45367", "GHSA-3653-68v6-rq57" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bkfw-fpag-hybj" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may@6.9.6" }