Apache PDFBox 2.0.15 released: fix XML External Entity (XXE) vulnerability

Apache PDFBox

Apache PDFBox

The Apache PDFBox library is an open source Java tool for working with PDF documents. This project allows the creation of new PDF documents, manipulation of existing documents and the ability to extract content from documents. PDFBox also includes several command line utilities. PDFBox is published under the Apache License, Version 2.0.

Apache PDFBox


  • Extract Text: Extract Unicode text from PDF files.
  • Split & Merge: Split a single PDF into many files or merge multiple PDF files.
  • Fill Forms: Extract data from PDF forms or fill a PDF form.
  • Preflight: Validate PDF files against the PDF/A-1b standard.
  • Print: Print a PDF file using the standard Java printing API.
  • Save as Image: Save PDFs as image files, such as PNG or JPEG.
  • Create PDFs: Create a PDF from scratch, with embedded fonts and images.
  • Signing: Digitally sign PDF files.

Apache PDFBox 2.0.15 has been released.


  • [PDFBOX-4436] – Error opening encrypted PDF in Acrobat IOS/Android
  • [PDFBOX-4473] – OS2WindowsMetricsTable.FSTYPE_EDITIBLE should be 8 instead of 4
  • [PDFBOX-4474] – NPE in Type1Parser.readValue()
  • [PDFBOX-4475] – PDFMergerUtility is very slow, almost in dead loop
  • [PDFBOX-4476] – Need handle the NullPointerException in PDPageTree
  • [PDFBOX-4477] – Large encrypted file takes days to be parsed
  • [PDFBOX-4478] – Import XFDF stamp annotation has malformed appearance
  • [PDFBOX-4479] – Java 6 error
  • [PDFBOX-4480] – Problem extracting text in newline characters and spaces beetween words
  • [PDFBOX-4484] – Some JBIG2 images are corrupted when subsampling is enabled
  • [PDFBOX-4485] – Adobe reader on android can not see attachments
  • [PDFBOX-4487] – Cannot set documentMergeMode
  • [PDFBOX-4488] – NegativeArraySizeException with image with extreme width
  • [PDFBOX-4490] – .getNumberofPages() returns incorrect value
  • [PDFBOX-4492] – JVM crashes on PDFRenderer.renderImage
  • [PDFBOX-4493] – InputStream not closed after reading
  • [PDFBOX-4494] – Problem with google noto bold font and hungarian characters
  • [PDFBOX-4495] – Expected number, actual=COSFloat
  • [PDFBOX-4496] – OCG enablement with string parameter is not well defined
  • [PDFBOX-4497] – dash phase start should be float
  • [PDFBOX-4500] – K Array order in structure tree reversed when merging
  • [PDFBOX-4503] – Width 0 during pdf rendering
  • [PDFBOX-4504] – Warnings when structure tree RoleMap is merged if the key is already existing in destination directory


  • [PDFBOX-4491] – slow rendering for PDF
  • [PDFBOX-4502] – Performance issue with splitter and huge files
  • [PDFBOX-4505] – CVE-2019-0228: possible XML External Entity (XXE) attack
  • [PDFBOX-4508] – Unexpected slowness filling forms with CJK