Orthanc automatically extracts ZIP archives uploaded to certain endpoints and relies on metadata describing the uncompressed size of each archived file. An attacker can craft a small ZIP archive containing a forged size value that far exceeds realistic limits. During extraction the server allocates buffers based on that forged value, causing extreme memory usage and potentially exhausting the system’s memory. This flaw is classified as CWE‑770, Excessive Resource Consumption, leading to a denial of service where the server becomes unresponsive, restarts, or crashes, disrupting legitimate DICOM operations.

The vulnerability affects Orthanc DICOM Server products that automatically decompress ZIP uploads. No specific version numbers are listed, so any Orthanc installation using the default ZIP extraction routine is potentially vulnerable.

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw remotely by uploading a malicious ZIP file to any endpoint that accepts ZIP data; authentication or additional privileges are not explicitly required, but this is inferred from the fact that the server processes the uploads without validating size metadata. The attack vector is inferred from the processing of uploaded ZIP archives.