Apache PDFBox security advisories

Security information for Apache PDFBox

Reporting

Do you want disclose a potential security issue for Apache PDFBox? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Path Traversal in PDFBox ExtractEmbeddedFiles Example Code

CVE-2026-33929 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-14T08:09:38.140Z

Affected

  • Apache PDFBox Examples from 2.0.24 through 2.0.36
  • Apache PDFBox Examples from 3.0.0 through 3.0.7

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.

Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427.

The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF".

Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.

References

Credits

  • Kaixuan Li (finder)

Path Traversal in PDFBox ExtractEmbeddedFiles Example Code

CVE-2026-23907 [CVE] [CVE json]

Last updated: 2026-03-10T16:53:49.159Z

Affected

  • Apache PDFBox Examples from 2.0.24 through 2.0.35
  • Apache PDFBox Examples from 3.0.0 through 3.0.6

Description

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6.

The ExtractEmbeddedFiles example contains a path traversal vulnerability (CWE-22) because the filename that is obtained from PDComplexFileSpecification.getFilename() is appended to the extraction path.
Users who have copied this example into their production code should review it to ensure that the extraction path is acceptable. The example has been changed accordingly, now the initial path and the extraction paths are converted into canonical paths and it is verified that extraction path contains the initial path. The documentation has also been adjusted.

References

Credits

  • Joakim Bülow (Neo4j Security Team) (finder)

A carefully crafted PDF file can trigger an infinite loop while loading the file

CVE-2021-31812 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-12T09:40:30.803Z

Affected

  • Apache PDFBox from Apache PDFBox before 2.0.24

Description

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

References

Credits

  • Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file

CVE-2021-31811 [CVE] [CVE json] [OSV json]

Last updated: 2021-06-12T09:40:36.582Z

Affected

  • Apache PDFBox from Apache PDFBox before 2.0.24

Description

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

References

Credits

  • Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file

CVE-2021-27906 [CVE] [CVE json] [OSV json]

Last updated: 2021-03-19T16:03:06.161Z

Affected

  • Apache PDFBox from Apache PDFBox through 2.0.22

Description

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

References

Credits

  • Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue

A carefully crafted PDF file can trigger an infinite loop while loading the file

CVE-2021-27807 [CVE] [CVE json] [OSV json]

Last updated: 2021-03-19T16:02:02.671Z

Affected

  • Apache PDFBox from Apache PDFBox through 2.0.22

Description

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

References

Credits

  • Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue