CVE-2025-25475 in DCMTK
Summary
by MITRE • 02/19/2025
A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTK v3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via a crafted DICOM file.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/01/2025
The vulnerability identified as CVE-2025-25475 represents a critical null pointer dereference flaw within the DCMTK library version 3.6.9 and later development versions. This issue resides in the /libsrc/dcrleccd.cc component which handles DICOM file processing operations. The Digital Imaging and Communications in Medicine (DICOM) standard is widely used in healthcare environments for storing and transmitting medical images and related data, making this vulnerability particularly concerning given the critical nature of healthcare IT systems. The flaw manifests when the library attempts to process specially crafted DICOM files that trigger a null pointer dereference condition during the decompression or processing of RLE (Run Length Encoding) compressed data streams.
The technical implementation of this vulnerability occurs within the DICOM compression handling code where insufficient input validation and error checking mechanisms fail to properly handle malformed or crafted DICOM data structures. When a maliciously constructed DICOM file is processed by the affected DCMTK library, the code path leads to attempting to dereference a null pointer that should have been properly initialized or validated. This particular code segment operates within the context of medical imaging applications that rely on DCMTK for DICOM file manipulation, including PACS (Picture Archiving and Communication Systems), medical imaging workstations, and various healthcare information systems. The null pointer dereference results in an immediate application crash or termination, effectively causing a denial of service condition that disrupts legitimate medical imaging workflows and potentially impacts patient care delivery.
The operational impact of this vulnerability extends beyond simple service disruption as it affects mission-critical healthcare infrastructure where DICOM file processing is fundamental to diagnostic workflows. Attackers can exploit this weakness by simply crafting a malicious DICOM file and presenting it to any system running vulnerable DCMTK versions, making the attack vector extremely accessible and low-risk for the attacker. The vulnerability affects a broad range of applications including medical imaging devices, hospital information systems, radiology workstations, and any software that utilizes DCMTK for DICOM file handling. Given that DCMTK is a widely deployed open-source library in healthcare environments, the potential for widespread impact is significant, particularly in scenarios where systems automatically process incoming DICOM files without proper validation mechanisms.
Mitigation strategies for CVE-2025-25475 should prioritize immediate patching of affected DCMTK versions to the latest stable releases that contain the necessary code fixes. Organizations should implement comprehensive input validation and sanitization measures for all DICOM file processing workflows, including the deployment of additional security layers that can detect and quarantine suspicious file formats before they reach the core processing components. Network segmentation and access controls should be enhanced to limit exposure of vulnerable systems to untrusted DICOM file sources. The vulnerability aligns with CWE-476 which specifically addresses null pointer dereference conditions, and represents a typical example of how insecure coding practices in widely used libraries can create systemic security risks. From an ATT&CK framework perspective, this vulnerability maps to the T1499.004 technique related to network denial of service, where attackers can leverage application-level flaws to disrupt service availability. Organizations should also consider implementing intrusion detection systems capable of identifying patterns associated with DICOM file processing anomalies and maintain comprehensive incident response procedures specifically addressing healthcare IT service disruption scenarios.