Primary

Context

Orthanc DICOM Server Gzip Decompression Bomb Vulnerability

Vulnerability

Patched

A vulnerability allowing gzip decompression bomb attacks exists in Orthanc DICOM Server versions through 1.12.10. When the server processes HTTP requests with 'Content-Encoding: gzip', it fails to impose limits on the size of decompressed data. This oversight allows a specially crafted gzip payload to cause excessive memory allocation, leading to system memory exhaustion.

Impact

Exploitation of this vulnerability causes excessive memory allocation based on attacker-controlled compression metadata, exhausting system memory and causing denial-of-service conditions by terminating the Orthanc process.

Remediation

Users are advised to upgrade to Orthanc version 1.12.11, which addresses this vulnerability. Consult the Orthanc documentation and release notes for guidance on patching and deployment.

Added: Apr 9, 2026, 4:24 PM

Updated: Apr 9, 2026, 4:24 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.5

exploitability

7.0

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.5

exploitability

7.0

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Orthanc DICOM Server Gzip Decompression Bomb Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Orthanc

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating