Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2025-53644
- Dependency Name: dcm4che-imageio-opencv
- Affected Version of Dependency: <=5.34.2
- Severity Score: 6.6 Medium
Affected Versions of DPGW
- 1.13.13-REL – 1.13.14-REL
- <=1.12.37-REL
Risk Assessment & Applicability
Usage
DPGW utilizes the dcm4che-imageio-opencv specifically for transcoding DICOM images in compressed formats like JPEG2000, JPEG-LS, etc.
Analysis
dcm4che-imageio-opencv is not directly vunerable, vunerability is transitive as it depends on OpenCV library. Attackers can only exploit this vulnerability if they can store a malicious DICOM image in the running PACS system and if DicomImageReader.properties are set to use OpenCV to decode JPEGs.
Status
Affected
Impact on DPGW
If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: temporary denial of service for users as it might cause the application to crash.
Remediation & Mitigations
Fix
Update DPGW to:
1.13.15-REL (released on 2026-02-23) or newer
1.12.38-REL (released on 2026-02-23) or newer
User Actions
Users can mitigate this vulnerability by reconfiguring conf/DicomImageReader.properties file to disable the use of OpenCV and use ImageIO instead.