HAPI FHIR Unauthenticated SSRF Vulnerability in Validator HTTP Service Allows Authentication Token Theft

A vulnerability in HAPI FHIR's implementation of the HL7 FHIR standard for healthcare interoperability in Java, prior to version 6.9.4, exposes an unauthenticated Server-Side Request Forgery (SSRF) via the '/loadIG' endpoint of the FHIR Validator HTTP service. This endpoint allows outbound HTTP requests to URLs controlled by attackers. The vulnerability arises from a combination of the unrestricted '/loadIG' endpoint, which accepts URLs without validation, and a flaw in the credential management that uses prefix matching to determine when to send authentication tokens. As a result, an attacker could steal authentication tokens, such as Bearer tokens, Basic auth credentials, or API keys, for legitimate FHIR servers by registering a domain that prefix-matches a server URL. This stolen data could then be used to access protected FHIR endpoints or publish malicious packages to FHIR registries, impacting downstream consumers.

Impact

Exploitation of this vulnerability leads to unauthorized theft of authentication tokens and credentials for FHIR servers, which could be used to access sensitive health data or conduct supply chain attacks by publishing malicious FHIR packages.

Reproduction

To reproduce this vulnerability, send an unauthenticated POST request to the '/loadIG' endpoint with a JSON body that includes a URL matching a configured FHIR server URL. Ensure that the FHIR server is set up to use authentication tokens. The request will trigger an outbound HTTP request to the attacker's server, including the stolen authentication token in the Authorization header.

Remediation

Users are advised to update to HAPI FHIR version 6.9.4 or later, where this vulnerability has been patched.