CVE-2026-33929

Vulnerability

Analysis

CVE-2026-33929 is an improper pathname restriction (path traversal, CWE-22) vulnerability in the ExtractEmbeddedFiles example of Apache PDFBox. The issue affects versions 2.0.24 through 2.0.36 and 3.0.0 through 3.0.7. The vulnerability stems from a flawed fix for a previous path traversal bug (CVE-2026-23907) that was introduced in releases 2.0.36 and 3.0.7. The original fix did not properly account for file path separators, allowing an attacker to bypass the intended directory boundary check [1][3].

Exploitation

An attacker can craft a malicious PDF file containing embedded files with specially crafted filenames that include path traversal sequences. When a victim user runs the ExtractEmbeddedFiles example against this PDF, the code attempts to write the embedded file to a directory. Due to the incomplete check, the file can be written to any path that starts with the intended output directory (e.g., a user with write rights to /home/ABC could have files written to /home/ABCDEF). The attack requires the user to have write permissions on the base directory and to process the malicious PDF using the vulnerable example code [1][3].

Impact

A successful exploit allows an attacker to write arbitrary file content to a location outside the intended extraction directory, potentially overwriting sensitive files or placing malicious files in unexpected locations. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and specific conditions for exploitation [1].

Mitigation

Apache recommends updating to versions 2.0.37 or 3.0.8 once they become available. Until then, users should apply the fix provided in GitHub PR #427, which improves the directory boundary check by requiring the canonical parent path to either equal the target directory or start with it followed by a file separator [1][3]. Users who have incorporated this example into their own production code should apply the same fix to prevent path traversal attacks.