Apache PDFBox security advisories
Security information for Apache PDFBox
Reporting
Do you want disclose a potential security issue for Apache PDFBox? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
CVE-2026-33929 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-14T08:09:38.140Z
Affected
- Apache PDFBox Examples from 2.0.24 through 2.0.36
- Apache PDFBox Examples from 3.0.0 through 3.0.7
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.
This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.
Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427.
The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".
Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.
References
- https://github.com/apache/pdfbox/pull/427/changes
- https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs
- https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6
Credits
- Kaixuan Li (finder)
Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
CVE-2026-23907 [CVE] [CVE json]
Last updated: 2026-03-10T16:53:49.159Z
Affected
- Apache PDFBox Examples from 2.0.24 through 2.0.35
- Apache PDFBox Examples from 3.0.0 through 3.0.6
Description
This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.
The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because
the filename that is obtained from
PDComplexFileSpecification.getFilename() is appended to the extraction path.
Users who have copied this example into their production code should
review it to ensure that the extraction path is acceptable. The example
has been changed accordingly, now the initial path and the extraction
paths are converted into canonical paths and it is verified that
extraction path contains the initial path. The documentation has also
been adjusted.
References
Credits
- Joakim Bülow (Neo4j Security Team) (finder)
A carefully crafted PDF file can trigger an infinite loop while loading the file
CVE-2021-31812 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-12T09:40:30.803Z
Affected
- Apache PDFBox from Apache PDFBox before 2.0.24
Description
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
References
Credits
- Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file
CVE-2021-31811 [CVE] [CVE json] [OSV json]
Last updated: 2021-06-12T09:40:36.582Z
Affected
- Apache PDFBox from Apache PDFBox before 2.0.24
Description
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
References
Credits
- Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file
CVE-2021-27906 [CVE] [CVE json] [OSV json]
Last updated: 2021-03-19T16:03:06.161Z
Affected
- Apache PDFBox from Apache PDFBox through 2.0.22
Description
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
References
Credits
- Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue
A carefully crafted PDF file can trigger an infinite loop while loading the file
CVE-2021-27807 [CVE] [CVE json] [OSV json]
Last updated: 2021-03-19T16:02:02.671Z
Affected
- Apache PDFBox from Apache PDFBox through 2.0.22
Description
A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
References
Credits
- Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue