A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
| Vendor | Product | Versions |
|---|---|---|
| Orthanc | DICOM Server | 0, 1.12.10 |
Updated description with more technical detail, added affected version 1.12.10, changed severity to HIGH, and noted that no exploit is available.
Initial creation
