CVEs - iText 5 Documentation
iText dependencies:
2025
CVE-2025-8916 - This CVE describes an issue with the Bouncy Castle Java dependencies which was addressed by iText 5.5.13.5.
2024
CVE-2024-29857 - This CVE report describes a vulnerability discovered in the Java and .NET Bouncy Castle dependencies for iText 5.5.13.3. This was addressed by iText 5.5.13.4.
2023
iText 5 targets Java 5, which means that we cannot update org.apache.santuario:xmlsec version to 2.x.x or newer as it requires Java 8.
If you are not using the com.itextpdf.text.pdf.security.MakeXmlSignature class then you can avoid adding the org.apache.santuario:xmlsec dependency into your project. This means that you would not be affected by the related vulnerabilities, for example https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESANTUARIO-1655558.
If you are using the
com.itextpdf.text.pdf.security.MakeXmlSignatureclass, e.g. for XFA signatures, then you can either:use
org.apache.santuario:xmlsec1.5.8 as a dependency which is affected by the vulnerability specified above, but works on Java 5+, or;use
org.apache.santuario:xmlsec2.1.7 or newer. However, this would require Java 8+ and affects the output format (see https://issues.apache.org/jira/browse/SANTUARIO-494 for details).
CVE-2023-33201 - This CVE describes an LDAP injection vulnerability in Bouncy Castle for Java versions below 1.74. It's safe for you to update your dependencies so that the Bouncy Castle transitive dependency is 1.74. For example:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.74</version>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.74</version>
<optional>true</optional>
</dependency>2022
CVE-2022-24197 - This CVE is not applicable to the iText 5 product line.
CVE-2022-24196 - This CVE is not applicable to the iText 5 product line.