Page tree

European Commission Digital

DSS v5.2.1

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

(warning) Please consider that use of older versions should be discouraged. (warning)

Download DSS v5.2.1

Source code is also available in .zip and tar.gz
Bugs, issues or suggestions? Report it on JIRA

Release Note

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)


If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.


  • [DSS-1489] - XAdES : remove Xalan dependency
  • [DSS-1508] - PAdES : Upgrade PDFBox
  • [DSS-1509] - XAdES : enforce validation against XSW
  • [DSS-1510] - XAdES : enforce XML Security against XXE
  • [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
  • [DSS-1512] - CommonDataLoader : enforce SSL certificates validation
eSignature standards
Digital Signature Services (DSS)
ETSI Signature Conformance Checker
eSignature Service Desk
What is an electronic signature?
Start using DSS
Apply for eSignature grants