Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts the uncompressed size metadata for each file. An attacker can craft a small ZIP file with a forged size value that is many times larger than the actual compressed data. When the server processes the file, it allocates memory buffers based on the forged size, rapidly consuming system memory. This results in the Orthanc process becoming unresponsive or crashing, effectively denying service to legitimate users.

The flaw exists in all versions of the Orthanc DICOM server that include the automatic ZIP extraction feature. The advisory does not list specific version numbers, which suggests that every release supporting this behavior is vulnerable unless the feature has been disabled via configuration. Hospital imaging infrastructures and any environment that relies on Orthanc for quick uploads must verify whether automatic extraction is active and whether a fix has been applied.

The vulnerability can be triggered by delivering a crafted ZIP file over the network to an Orthanc endpoint, which is likely exposed to remote users. No publicly demonstrated exploit is known and the EPSS score is not available. However, the potential to consume all available memory and bring down a critical medical imaging server makes the risk significant. The situation is especially serious in high‑availability or critical‑care environments where uninterrupted service is essential.