Skip to main content
Skip table of contents

Release iText Core 7.2.2

Release date: April 11, 2022

It's already Q2 of 2022, and so we're pleased to announce the release of iText Core 7.2.2. Your favorite PDF library for Java and .NET (and more!).

On the Java side we've updated some dependencies such as Bouncy Castle to 1.70, Log4j to 1.7.33, and Logback to 1.2.10. For .NET the System.Text.RegularExpressions dependency is now explicit rather than implicit, and uses version 4.3.1.

We've made some improvements to iText's parsing logic for PDF cross-reference structures. This was to prevent the potential for a PDF's structure to be maliciously created to cause infinite loops or other issues. See the example linked below for more details.

We've also fixed a bug relating to CFF font parsing. As noted in the specification, CFF is a font format which was developed by Adobe to act as a compact container for one or more fonts by using lossless compression. In cases when a font's CID does not correspond to its GID, iText could incorrectly read its cmap values resulting in incorrect glyphs being displayed in PDF viewers. To address this, the font parsing logic has been rewritten to account for fonts where the glyph IDs do not match the CIDs, and will now handle them in the correct and expected manner.

This release also addresses two CVE issues (CVE-2022-24196, and CVE-2022-24197) which were disclosed. See the Changelog or the linked issues for more details.

As always, we try to synchronize the release of iText 7 Core with releases of the iText 7 add-ons making up the rest of the iText 7 Suite. So, besides Core, be sure to also check out:

iText 7 Suite Releases

Release Related Examples



  • Updated some Java dependencies (Bouncy Castle 1.70, Logback 1.2.10, slf4j 1.7.33)
  • Updated (or rather make it explicit) a .NET dependency (System.Text.RegularExpressions 4.3.1)
  • Revised cross-reference parsing logic


  • Fixed CFF font-parsing logic
  • CVE fixes
    • CVE-2022-24196 - out-of-memory error via the component readStreamBytesRaw

    • CVE-2022-24197 - stack-based buffer overflow via the component ByteBuffer.append


Installation Instructions

Examples (latest ones)

FAQ (latest ones)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.