CVE-2024-51132

CRITICAL

HAPI FHIR < 6.4.0 - XML External Entity Injection via Crafted XML Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-51132. PoCs published by JAckLosingHeart.

AI-analyzed exploit summary This PoC demonstrates an XXE vulnerability in multiple HL7 FHIR libraries by loading a malicious XML file via the `Translations` class. The exploit can lead to SSRF or information leakage.

Description

An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.

Exploits (1)

nomisec WORKING POC 1 stars

by JAckLosingHeart · poc

https://github.com/JAckLosingHeart/CVE-2024-51132-POC

View Code ZIP pw:eip

This PoC demonstrates an XXE vulnerability in multiple HL7 FHIR libraries by loading a malicious XML file via the `Translations` class. The exploit can lead to SSRF or information leakage.

Classification

Working Poc 90%

Attack Type

Ssrf | Info Leak

Complexity

Trivial

Reliability

Reliable

Target: org.hl7.fhir libraries < 6.4.0

No auth needed

Prerequisites: Access to a vulnerable FHIR library version · Ability to provide a malicious XML file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://github.com/JAckLosingHeart/CVE-2024-51132-POC

Various Sources

https://github.com/hapifhir/org.hl7.fhir.core

Scores

CVSS v3 9.8

EPSS 0.0794

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-611

Status published

Products (9)

ca.uhn.hapi.fhir/org.hl7.fhir.convertors 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.dstu2 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.dstu3 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.r4 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.r4b 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.r5 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.utilities 0 - 6.4.0Maven

ca.uhn.hapi.fhir/org.hl7.fhir.validation 0 - 6.4.0Maven

Published Nov 05, 2024

Tracked Since Feb 18, 2026