Skip to content
Contact Sales Free Trial Buy Now
Product Documentation

Release Notes & Security Updates

Detailed notes of updates to Nitro products, including new features, enhancements, and bug fixes.

Release Notes

Nitro PDF Pro for Windows

Latest Version: 14.36.1.0 | Release Date: March 4, 2025

What’s New

  • Adds automatic form field detection and creation (advanced online services via Nitro accounts)

Fixed Issues & Improvements

  • Improved the warning message when documents attempt to submit data using JavaScript

  • Resolved an issue ensuring all content displays correctly when opening documents with certain True Type fonts

  • Resolves an issue where some system security policies could cause the installation of the Nitro PDF Creator to fail on Windows 11

  • Resolved an issue in which some PDFs opened with blank pages

  • Fixed an issue where some files could not be edited

  • Other fixes and improvements

Version 14.35.1.0

Release Date: January 28, 2025

What’s New

  • Adds ability to Extract Table Data (advanced online services via Nitro accounts)

  • Adds ability to Extract Form Data (advanced online services via Nitro accounts)

     

Fixed Issues & Improvements

  • Resolved an issue ensuring all content displays correctly when opening certain types of documents

  • Fixed an issue where the redaction tool would redact more than the selected portion in certain PDFs

  • Resolved an issue where certain linearized documents failed to open successfully

  • Fixes an issue applying Microsoft Purview labels to certain files with signature based permissions

  • Other fixes and improvements

Version 14.34.2.0

Release Date: December 24, 2024

Fixed Issues & Improvements:

  • Fixed an issue where some users were experiencing crashes from Office Applications or Windows File Explorer

Version: 14.34.1.0

What's New:

  • Provides NLS users with the ability to customize settings for advanced online tools and services via the Admin portal

Fixed Issues & Improvements:

  • Fixed an issue where some users were incorrectly placed in Expired Trial mode after upgrading
  • Resolved a "Log in to Azure failed" error allowing users to log into their Microsoft account login without issue
  • Removes redundant second confirmation dialog when opening certain links in PDF Pro
  • Ensures the previously selected "Extract Image As" value is displayed correctly
  • Ensures Plain Text conversions respect the "Break each line to width" preferences
  • Other fixes and improvements

Security Issue

Security vulnerabilities previously reported has been addressed in this release. Please visit our Security Updates page for more information.

Version 14.32.0.15

Release Date: November 14, 2024

What's New:

  • Enhanced digital signature validation:
    • Adds support for certificates with root certificates listed on the EUTL (European Union Trusted Lists)
    • Expands compatibility to validate additional types of digital signatures

Fixed Issues & Improvements:

    • Ensures visibility and correct display of all pages for PDF files
    • Enables seamless opening, display, and editing of files created by Skia/PDF m102
    • Resolves crash and reporting issues when combining files
    • Allows users to access local files and folders outside a standard URI scheme from “Import Profile” and import profiles without issue
    • Fixes an issue preventing dynamic hyperlinks from working in PDFs
    • Replaces in-app browser with WebView2 for improved security and latest OS compatibility
    • Other fixes and improvements

Version 14.29.1.0

Release Date: September 25, 2024

What's New:

  • Improves the login experience for greater security and consistency across Nitro products (Nitro accounts): We've simplified and streamlined the login process to align with industry best practices by using a system browser instead of an embedded browser. This provides a faster, more secure way to access the app. You will log in less frequently while ensuring your sessions remain safe, allowing you to easily focus on your work without interruptions.

Fixed Issues & Improvements:

  • Improves support for opening large, complex files from shared servers or network drives
  • Improves the process to ensure PDF files are successfully saved to disk storage services, such as Google Drive, and can be reopened without any issues
  • Ensures new installations of Nitro PDF Pro will not overwrite in-app updater registry keys
  • Fixes Nitro’s MS Outlook Add-in to enable successful email to PDF format conversion
  • Updates the iManage SDK to allow continued support of token caching
  • IE plugins have been removed from Nitro PDF Pro. IE plugins are no longer available in the Nitro PDF Pro app or as a standalone installer.
  • AD RMS has been removed from Nitro PDF Pro. AIP RMS will continue to function as expected.
  • Other fixes and improvements

Version 14.28.4.2

Release Date: August 14, 2024

What's New

  • New 14-Day Nitro Pro Trial Experience: New users who create a Nitro Account can now experience everything Nitro Pro has to offer, including:

Click here to learn more and start your trial.

Version 14.27.2.0

What's New

  • Improved performance when opening large files from a shared server or network drive.
  • Two registry options are now available enabling IT Admins to hide JavaScript and Internet Access settings from Preferences.

Fixed Issues & Improvements:

  • Fixed an issue that prevented URI protocol links from working properly in Nitro PDF Pro. The application now checks if the links are compatible with the programs installed on the user’s computer.
  • A security vulnerability was treated when converting a malformed PDF file, which could lead to access violation.

Security Issue

Security vulnerabilities previously reported has been addressed in this release. Please visit our Security Updates page for more information.

Version 14.26.1.0

 

Release Date: July 15, 2024

What's New

  • Introducing Hang Detection on Nitro PDF Pro for Windows. This feature detects when the application hangs (stops responding) and prompts users to send error reports to Nitro.
    Alongside the existing Crash Detection, the new Hang Detection tool is enabled by default for all users. However, it may be disabled by administrators. See our User Guide and Deployment Guide for more details.

Fixed Issues & Improvements:

  • Resolved an issue where large images (10mb+) used for watermarks could crash the application.
  • Improved performance on document text searching with the Search and Redact tool.
  • Resolved an issue to save trusted URLs to be opened without permission validation.
  • IE plugins have been removed from Nitro PDF Pro. IE plugins are no longer available in the Nitro PDF Pro app or as a standalone installer.

Security Issue

Security vulnerabilities previously reported has been addressed in this release. Please visit our Security Updates page for more information.

Version 14.24.1.0

Release Date: June 5, 2024

This version includes the following updates and fixes.

  • In-App Software Update with Automatic Check for New Versions: Nitro PDF Pro now allows for checking for new updates from within the PDF Pro application, as well as automatically checking for new updates on startup. This functionality is disabled within our Enterprise build and may be disabled for other builds.
  • Windows 11 Compatibility: Nitro PDF Pro now supports Windows 11.
  • IE add-in removed from .msi and .exe installers: Effective from version 14.23 onwards, the add-in for Internet Explorer will no longer be available in PDF Pro installers.
  • SharePoint Extension Enabled for all builds: SharePoint Online extension can be used with all build types of PDF Pro for Windows.
  • Resolved an issue related to difficulty viewing PDF documents with graphical content created in Catia V5.
  • Resolved an issue where data entered in AcroForm-based documents was being reset unintentionally.
  • Resolved an issue where text in some specific documents was being rendered as random characters.
  • Resolved an issue in which some Japanese fonts appear as squares and do not render correctly, even after the appropriate font is installed.
  • Made improvements to resolve some instances of unwanted boxes appearing when documents are opened in PDF Pro.
  • Improved the appearance of redaction marks when redacting multiple lines of text.
  • To increase performance, Digital Signatures statuses may be re-validated manually and automatic revalidation occurs less frequently.
  • Start-up performance has been improved.
  • Issue Resolved: The ”Import Bookmarks” option in Preferences no longer disappears on mouse-over.

Version 14.22.1.0

Release date: March 11, 2024

  • Nitro PDF Pro integration with iManage has been enhanced to handle changes in the folder structure with new iManage releases, which caused an error, “Sorry, Nitro Pro could not find the installation of the iManage Client.”
  • Fixed an issue where file links within a document pointing to a different drive did not work.
  • Nitro PDF Pro now supports links in PDF documents with the 'file' URI protocol, such as file://<host>/<path>.
  • Nitro PDF Pro can now successfully open files protected by FileOpen DRM.
  • An issue that prevented hyperlinks in PDF documents from linking to documents stored in iManage, starting with 'iwl', has been resolved.
  • Issue Resolved: "Dictionary keys must be direct name objects." error no longer appears when opening PDF documents in other PDF viewers that were originally created with custom stamps in Nitro PDF Pro. Additionally, these documents can now be saved in other PDF editors as necessary unlike previously when they showed an error.
  • Issue Resolved: Some customers reported the appearance of unwanted folders named GPUCache and DawnCache.
  • Fixed instances where some customers encountered Error Code: 0x40030004 when attempting to open documents in Nitro PDF Pro.
  • Security measures in malformed PDF document has been enhanced mitigating a risk of informal disclosure.

Version 14.19.1.29

Release date: January 22, 2024

This version includes the following updates and fixes.

  • Nitro’s AI-enabled Knowledge Assistant is now available in Nitro PDF Pro. The Knowledge Assistant allows you to easily get answers to your questions and locate information within the Nitro User Guides and Help documentation.
  • A crash observed by some users when editing the name of Watermark or Header & Footer profiles containing Cyrillic/Chinese/Japanese symbols has been fixed.
  • Fixed an issue where some text was missing in PDF documents created using iText Core library.
  • Fixed an issue where editing certain documents showed unwanted objects/blotches.
  • Fixed an issue where some hyperlinks with UTF characters within a PowerPoint file were not retained when converted to PDF.

Nitro PDF Pro for MacOS

Latest Version: 14.7.0 | Release Date: March 4, 2024

What's New

  • Improved the accuracy and speed of PDF to MS Office format (Word, Excel, Powerpoint) conversions by upgrading the technology powering the MS Office export feature

Fixed Issues & Improvements

  • Improved redaction and text correction for greater speed and accuracy
  • Resolved expiry token issue, ensuring uninterrupted login access with Nitro credentials
  • Adds a link to the License Agreement in the Help menu
  • Fixed an issue of opening a new file from HTML in the Setapp environment where the file selection window would not appear
  • Fixed an issue causing the app to crash when closing the scan window
  • Other fixes and improvements

Version: 14.6.0

December 19, 2024

What's New:

  • The “Keep tools selected after use” preference, located under Settings> Editing, is now disabled by default to make newly added items to a page selectable

Fixed Issues & Improvements

  • Resolved an issue that caused the app to crash when uploading documents to Nitro Sign
  • Fixed an issue where the Extract Form Data tool (advanced online services) failed to detect form data
  • Ensures uninterrupted use of advanced online service tools
  • Other fixes and improvements

Version: 14.5.0

November 6, 2024

What's New:

  • Adds ability to Extract Table Data (advanced online services via Nitro accounts)
  • Adds ability to Extract Form Data (advanced online services via Nitro accounts)
  • Ensures compatibility with the latest operating system (macOS 15 Sequoia)

Fixed Issues & Improvements:

  • Removes outdated major version check message from the auto-updater
  • Other fixes and improvements

Version 14.4.0

October 8, 2024

What's New:

  • Adds ability to rotate small images and drawn objects: Provides you with more creative control over how specific visual elements are presented on your PDF documents. Easily customize the orientation of logos or images, text boxes, or drawn shapes to suit your preferences and the specific needs for your document.
  • Adds ability to group and rotate multiple objects: Save time and effort by rotating multiple items simultaneously. This can be especially useful for diagrams or flowcharts. Grouping objects ensures that all items modified remain aligned, maintain their spatial relationships, and preserve proportions, resulting in a consistent and professional layout.

Fixed Issues & Improvements:

  • Fixes crash that may occur when creating a new document from HTML in Nitro PDF Pro on macOS Sonoma.
  • Restores File > Open dialog to appear when Home screen is disabled.

Version 14.3.0

Release Date: July 9, 2024

What's New:

  • New Home Screen for Convenient Document Access: Easily create a new document or open recent ones right directly after launching Nitro PDF Pro. This streamlined access allows users to immediately focus on important new or ongoing documents without navigating through multiple steps.
  • Improves the visibility of export options: The full range of export options is now accessible from the File menu. Under Export, you can easily find and select MS Office, image, or PDF/A formats from an expanded list. Additionally, these export options are searchable under the Help menu for quick access.

Fixed Issues & Improvements:

  • Provides the ability for business users to customize settings for Knowledge Assistant.
  • Adding highlights to secured documents in specific cases now functions as expected.
  • Enhancements to the Annotations view in the Sidebar make it easier to read the listed annotations, regardless of the chosen accent color.

Version 14.2.0

Release Date: May 30, 2024

What's New:

  • New Knowledge Assistant for easy access to user guides: Easily type “how-to” feature-based questions into a simple chat window and receive synthesized responses from within the app, while actively working on PDF documents.
  • Updated OCR and conversion/export capabilities: Ensures Nitro PDF Pro for Mac has the latest OCR and export technology and operating system compatibility for optimal performance and functionality.
  • New privacy policy and updates to EULA link: Provides access to updated Nitro Terms & Conditions for consistency across products and editions.

Fixed Issues & Improvements:

  • Updated Mac App Store app icon to white Nitro app icon to align with Nitro branding: Refreshed the app icon in the App Store to align with Nitro's branding strategy across its products.
  • Resolved the Apple Script menu not appearing in the Nitro PDF Pro menu bar in the previous version: This menu, which provides easy access to scripts for automation, is now available again in the UI.
  • The “Go to First” or “Last Page“ menu option can now be used when browsing via the Sidebar’s Thumbnail mode: Users can now choose either the first or last page to easily browse through longer documents via the Thumbnail view in the Sidebar.

Version 14.1.0

Release date: April 22, 2024

What’s New:

  • Streamlined Deployment: A combined installer simplifies deployment for both eCommerce and business users, facilitating easy setup and updates.
  • Nitro Sign Support: Now available for all customers. Previously only available to business users, Nitro Sign integration is now accessible to all users, enhancing document signing capabilities.
  • Enhanced Login for Business Users: Improved login experience for business users with Nitro accounts, ensuring smoother access to advanced features.
  • Updated App Branding: The app icon has been refreshed to align with Nitro's branding strategy, ensuring consistency across platforms and editions.

Fixed issues & Improvements:

  • Nitro Analytics Support: Extended to all users, enhancing data-driven insights into document workflows and usage patterns.
  • Apple Subscriptions Support: Implemented RevenueCat to support Apple subscriptions, providing users with flexible payment options.
  • Setapp Framework Integration: Transitioned to Setapp Framework for improved compatibility and functionality within the Setapp ecosystem.
  • Auto-Updater Re-enablement: Automatic updates reinstated for combined retail and business builds, ensuring users stay up-to-date effortlessly.
  • Single Main Build: Consolidated retail and business editions into a single build, simplifying maintenance and updates.
  • Mac App Store Review Requests: Users will be prompted for reviews on the Mac App Store at appropriate intervals, facilitating feedback collection and improving user ratings.
  • Crash Fix: Resolved a crash issue when pasting text from certain websites into text boxes, enhancing overall stability and usability.

Upgrade to PDF Pro for Mac v14.1 today to enjoy these enhancements and fixes for an even smoother document management experience.

Nitro PDF Pro for iOS

Latest Version: 8.3.1 | Release Date: January 23, 2025

Fixed Issues & Improvements

  • Resolved expiry token issue, ensuring uninterrupted login access with Nitro credentials.

Version 8.3

Release Date: November 14, 2024

What's New:

  • Adds ability to Extract Table Data (advanced online services via Nitro accounts)
  • Adds ability to Extract Form Data (advanced online services via Nitro accounts)

Fixed Issues & Improvements:

  • Restores the ability to undo page deletions made via the context menu
  • Ensures the app prompts for camera access permission again after an initial denial
  • Displays an alert for access restrictions on files from enterprise OneDrive accounts
  • Other fixes and improvements

Version: 8.2

 

Release date: September 24, 2024

What's New:

  • Adds scanning support to create new PDFs: Effortlessly generate high-quality PDFs from physical documents like letters, billing statements, and receipts, and save them on your mobile device for easy editing and future use.
  • Enables seamless searching and annotating of scanned documents: Nitro PDF Pro makes unsearchable scanned documents searchable, allowing you to quickly locate and focus on key information. Easily add highlights, notes, or comments to emphasize content for review.
  • Knowledge Assistant for easy access to product documentation (Nitro accounts): The Knowledge Assistant allows you to easily get answers to your questions and locate information within the Nitro User Guides and Help documentation.

Fixed Issues & Improvements:

  • Provides helpful information on using styluses with PDF Pro for iPad & iPhone
  • Improves full screen mode by removing the Toolbar for streamlined viewing
  • Fixes a crash that occurs when highlighting text and then selecting “Undo” function

Version 8.1

Release date: July 30, 2024

What's New:

  • Enhanced page numbering workflow: The improved page numbering dialog allows users to effortlessly update or remove page numbers in their documents. Users now have more flexibility and control over their document formatting and appearance.
  • Enhanced watermarking options: Users can now easily remove any outdated, imperfect, or distracting watermarks previously added to a page. This capability gives users more control and customization over document information and branding.

Version 8.0.1

Release date: June 12, 2024

Fixed Issues & Improvements:

  • Fixes crash affecting customers who do not have an iCloud account

Version 8.0

Release date: June 11, 2024

What’s New:

  • New, modernized UI design, rebuilt from the ground up: The Toolbar streamlines the experience by focusing on the primary user needs on mobile. An updated Editing bar streamlines the editing experience; users can conveniently and intuitively locate the most important editing tools and easily adjust annotation properties.
  • Introduces Reader mode, allowing customers to focus on content: Includes a brightness slider to make the reading experience more comfortable.
  • Adds an interactive product tour: Highlights key features and functionalities welcoming all users.
  • Vision Pro support: Allows users with Vision Pro to go beyond the small screens of iPad or iPhone and read, edit, and sign documents on a much larger and more immersive screen.

Fixed Issues & Improvements:

  • App updates to improve performance and provide a desktop-class experience on iPad: Modernizes underlying code for optimal app maintenance. Introduces segmented controls and toggles for improved navigation.
  • Provides ability to create document with multiple photos from the Files / Documents view.
  • Fixes issue in cases where app does not launch when trying to open documents.

Nitro Workspace

Latest Version: August 2024 | Release Date: August 6, 2024

What’s New:

  • OneDrive access for convenient document editing: Allows customers to add OneDrive online storage. Access and edit documents using Nitro’s web-based PDF editing tools. Seamlessly send for signature with only a few clicks. Easily convert to image or MS Office formats and back. Changes are synced to OneDrive while you work.

  • Tool UI improvements: Descriptions of tools help users quickly understand their use and functions.

Release: May 2024

 
Release date: May 28, 2024

What’s New:

  • Modern UI & dashboard: Work faster with a streamlined user interface and navigation across Workspace, Sign, and Accounts.
  • Nitro PDF Pro apps & Sign access: Get convenient access to PDF Pro download links and Sign service from Workspace for standard users. Team Admins can adjust visibility in the Admin portal.
  • Invite team members to access Workspace tools: Get direct access to the Admin portal from Workspace to invite users to a team and adjust Workspace tool visibility.
  • Tools: Use web-based tools to quickly convert a PDF to MS Office, and back again.
  • Beta tools: Try Nitro’s latest beta tools including Table Extract and Form Extract to export tables and form data to spreadsheets for data processing.
  • Learn: Leverage educational how-to articles and guides to easily onboard Nitro’s apps and services.

Security Updates

Nitro PDF Pro for Windows

Last updated: December 5, 2024 | Originally published: December 5, 2024

Update

Nitro has released a new version of Nitro PDF Pro, which resolves potential security vulnerabilities.

Affected Version(s) Vulnerability CVE Status Solution Acknowledgment

Nitro PDF Pro for Windows 14.32 and earlier

 Local Privilege Escalation N/A Resolved Upgrade to 14.34.1.0 N/A

Date: September 25, 2024

 

Last updated: September 25, 2024

Originally published: July 25, 2023

 

Update

Nitro has released a new version of Nitro PDF Pro, which resolves potential security vulnerabilities.

Affected Version(s) Vulnerability CVE Status Solution Acknowledgment

Nitro PDF Pro for Windows 13.70.7.60 and earlier

Nitro PDF Pro for Windows 14.18.1.41 and earlier

 A security vulnerability has been identified in the MSI installer, which could allow local privilege escalation. CVE-2024-35288 Resolved

Upgrade to version 13.70.8.82+

Upgrade to version 14.26.0+

 Sandro Einfeldt and Michael Baer, SEC Consult Vulnerability Lab

Nitro Pro 13.70.7.60 and earlier

Nitro Pro 14.18.1.41 and earlier

 A Vulnerability in data handling for XFA documents could cause a file to be saved to an arbitrary location on the users filesystem. CVE-2024-44079 Resolved

Upgrade to version 13.70.8.82+

Upgrade to version 14.27.0+

 Jörn Henkel

Date: July 28, 2023

Last updated: 07/28/2023
Originally published: 07/25/2023

Update

Nitro has released a new version of Nitro PDF Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution

Nitro Pro 13.70.4.50 and earlier

Nitro Pro v14.1.2.47 – 14.5.0.11

A security vulnerability in Artifex Ghostscript

A security vulnerability has been identified in Artifex Ghostscript, which is used for file rendering and conversion

 CVE-2023-36664 Resolved

Upgrade to v13.70.7.60

Upgrade to v14.7.1.21 or later

Date: March 16, 2023

Last updated: 03/16/2023
Originally published: 03/16/2023

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
Nitro Pro v 13.70.2 and earlier

A security vulnerability in Zlib version, a data compression library used by Nitro PDF Pro

A security vulnerability has been discovered in the Zlib version, which is a data compression library utilized by Nitro PDF Pro.

 CVE-2022-37434 Resolved Upgrade to the latest version of Nitro PDF Pro
Nitro Pro v 13.70.2 and earlier

OpenSSL vulnerability - Access of Resource Using Incompatible Type ('Type Confusion')

OpenSSL vulnerability - Access of Resource Using Incompatible Type ('Type Confusion') This vulnerability has been fixed by upgrading to OpenSSL 1.1.1t.

 CVE-2023-0286 Resolved Upgrade to the latest version of Nitro PDF Pro

Date: December 7, 2022

Last updated: 12/7/2022
Originally published: 12/7/2022

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
Nitro Pro v 13.70.0 and earlier

Execution of Arbitrary Commands within the Application

A vulnerability exists where the application allows specially crafted PDF documents to execute arbitrary commands within the application.

 CVE-2022-46406 Resolved Upgrade to the latest version of Nitro PDF Pro

Date: October 25, 2021

Last updated: 10/25/2021
Originally published: 10/25/2021

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
Nitro Pro v 13.49 and earlier

JavaScript local_file_path Object use-after-free vulnerability

A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.

 CVE-2021-21796 Resolved Upgrade to the latest version of Nitro Pro
Nitro Pro v 13.49 and earlier

JavaScript TimeOutObject double free vulnerability

A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.

 CVE-2021-21797 Resolved Upgrade to the latest version of Nitro Pro

Date: September 10, 2021

Last updated: 9/10/2021
Originally published: 9/10/2021

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
Nitro Pro v 13.47 and earlier

Log4net parsing vulnerability
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Important: To apply this fix, please upgrade to the iManage Desktop application of version 10.5 or newer. In order to avoid documents becoming read-only, please ensure that all documents opened on the same machine are closed and CHECKED IN.

 CVE-2018-1285 Resolved Upgrade to the latest version of Nitro Pro
Nitro Pro v 13.47 and earlier JavaScript document.flattenPages
A vulnerability exists when opening a specially-crafted PDF document containing JavaScript which can lead to code execution under the context of the application.		 CVE-2021-21798 Resolved Upgrade to the latest version of Nitro Pro

Date: September 30, 2020

Security Incident Update

On September 30, 2020, Nitro became aware of an isolated security incident involving limited access to Nitro databases by an unauthorized third party.

Upon learning about this incident, Nitro took immediate action to ensure the Nitro environment was secure and commenced an investigation with the support of leading cybersecurity and forensic experts. The investigation is now complete, and Nitro can provide further details:

  • The incident involved access to specific Nitro databases, which support certain online services and have been used primarily for the storage of information connected with Nitro’s free online products.
  • Nitro’s free online conversion service does not require users to create a Nitro account or to become a Nitro customer. Users are simply required to provide an email address to which converted files are delivered.
  • There was no impact to Nitro Pro or Nitro Analytics.
  • Exposed user data included user email addresses, full names, highly secure hashed and salted passwords, as well as document metadata in relation to the Nitro online services. A very small portion of the information included company names, titles, and IP addresses.
  • Passwords were not impacted for users who access our cloud services via Single Sign-On (SSO).
  • The investigation further identified limited activity by the unauthorized third party in a legacy cloud services location, impacting less than 0.0073% of stored data in this location. The activity suggests the unauthorized third party was specifically focused on obtaining data related to cryptocurrency.

Upon learning of this incident, Nitro conducted a forced password reset for all users to further secure customer accounts. In addition to this, general guidance to maintain good cyber hygiene includes:

  • Changing online account passwords regularly, using a separate password for online banking, and using a password manager for remembering multiple passwords.
  • Never emailing passwords for online accounts and confirming if online accounts are secure by visiting https://haveibeenpwned.com/.
  • Enabling multi-factor authentication for online accounts where possible and ensuring up-to-date anti-virus software is installed on any device used to access online accounts.

Since the incident, the Nitro IT Security Team has been working closely with external cybersecurity experts to bolster the security of all systems, including enhanced logging, detection and alerting services in all regions, as well as increased data monitoring and re-evaluation of all protocols. The IT environment remains secure and Nitro has not seen any malicious activity since the incident.

Nitro takes the safety and security of our customers’ data seriously, and we are here to support our customers in any way that may be helpful. We encourage anyone with questions to contact incident@gonitro.com.

Date: September 17, 2020

Last updated: 9/17/2020
Originally published: 9/1/2020

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
Nitro Pro v 13.19 and earlier Object stream parsing integer overflow
A vulnerability exists when opening a specially-crafted PDF document with a cross-reference table which can lead to an out of bounds error causing memory corruption.		 CVE-2020-6113 Resolved Upgrade to the latest version of Nitro Pro
Nitro Pro v 13.22 and earlier app.launchURL JavaScript Command Injection
A vulnerability exists when opening a specially-crafted PDF document containing JavaScript which can lead to command injection.		 CVE-‪2020-25290 Resolved Upgrade to the latest version of Nitro Pro

Date: September 1, 2020

Last updated: 9/1/2020
Originally published: 9/1/2020

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
Nitro Pro v 13.22.0.414 and earlier XRefTable Entry Missing Object – Use After Free
A vulnerability exists when opening a specially-crafted, malformed PDF document which can lead to a use-after-free condition.		 CVE-2020-6115 Resolved Upgrade to the latest version of Nitro Pro
Nitro Pro v 13.22.0.414 and earlier Indexed ColorSpace Rendering – Buffer Overflow
A vulnerability exists when opening a specially-crafted PDF document with an indexed colorspace which can lead to a buffer overflow causing memory corruption.		 CVE-2020-6116 Resolved Upgrade to the latest version of Nitro Pro
Nitro Pro v 13.22.0.414 and earlier ICCBased ColorSpace Rendering – Buffer Overflow
A vulnerability exists when opening a specially-crafted PDF document with an ICCBased colorspace which can lead to a buffer overflow causing memory corruption.		 CVE-2020-6146 Resolved Upgrade to the latest version of Nitro Pro
Nitro Pro v 13.22.0.414 and earlier app.launchURL JavaScript Command Injection
A vulnerability exists when opening a specially-crafted PDF document containing JavaScript which can lead to command injection		 None Resolved Upgrade to the latest version of Nitro Pro

Date: August 2, 2020

Last updated: 8/2/2020
Originally published: 8/2/2020

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

 

Affected Versions Vulnerability CVE Status Solution

Nitro Pro v 12.16.3.574 and earlier

Nitro Sign is not affected

 Digital Signature “shadow attacks”
A vulnerability exists when opening a specially-crafted, digitally signed PDF document that can cause previously hidden text to appear when the document is altered after signing.
In order to trigger this vulnerability, the target must open a malicious document prepared in advance by a trusted signer.		 None Resolved Upgrade to the latest version of Nitro Pro

Date: May 8, 2020

Last updated: 5/8/2020
Originally published: 5/8/2020

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE Status Solution
13.9.1.155 and earlier JavaScript XML error handling – Access of Uninitialised Pointer
A vulnerability exists when opening a specially-crafted PDF document that can cause uninitialized memory access resulting in potential information disclosure. In order to trigger this vulnerability, the target must open a malicious file.		 CVE-2020-6093 Resolved Upgrade to the latest version of Nitro Pro
13.9.1.155 and earlier PDF Nested Pages – Use After Free
A vulnerability exists when opening a specially-crafted malicious PDF document which can lead to out-of-bounds write access with the potential to corrupt memory. In order to trigger this vulnerability, the target must open a malicious file.		 CVE-2020-6074 Resolved Upgrade to the latest version of Nitro Pro
13.13.2.242 and earlier PDF Pattern Object – Integer Overflow or Wraparound
A vulnerability exists when opening a specially-crafted malicious PDF document which can lead to out-of-bounds write access with the potential to corrupt memory. In order to trigger this vulnerability, the target must open a malicious file.		 CVE-2020-6092 Resolved Upgrade to the latest version of Nitro Pro

Date: March 9, 2020

Last updated: 3/9/2020
Originally published: 3/9/2020

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
13.9 and prior Heap Corruption npdf.dlll
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to a heap corruption
vulnerability with the potential to expose contents of memory.		 CVE-2020-10222
13.9 and prior Heap Corruption JBIG2DecodeStream
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to a heap corruption
vulnerability with the potential to expose contents of memory.		 CVE-2020-10223

 

Solution

Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
13.13.2.242 Please update to the latest version of Nitro Pro 13 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Date: January 9, 2020

Last updated: 1/9/2020
Originally published: 10/31/2019

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
13.6 and prior Heap Corruption JPEG2000 ssizDepth
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to heap corruption
and the application crashing out. Arbitrary remote code
execution has not been proven but may be possible.		 CVE-2019-5045
13.6 and prior Heap Corruption JPEG2000 yTsiz
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to heap corruption
and the application crashing out. Arbitrary remote code
execution has not been proven but may be possible.		 CVE-2019-5046
13.6 and prior Use After Free CharProcs
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to use-after-free
condition and the application crashing out.		 CVE-2019-5047
13.6 and prior Heap Corruption ICCBased Color Space
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to heap corruption
and the application crashing out. Arbitrary remote code
execution has not been proven but may be possible.		 CVE-2019-5048
13.6 and prior Heap Corruption Page Kids
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to heap corruption
and the application crashing out. Arbitrary remote code
execution has not been proven but may be possible.		 CVE-2019-5050
13.8 and prior Use After Free Stream Length
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to use-after-free
condition and the application crashing out.		 CVE-2019-5053

 

Solution

Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
13.9.1.155 Please update to the latest version of Nitro Pro 13 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Date: December 20, 2019

Last updated: 12/20/2019
Originally published: 12/20/2019

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
12.0.0.112 and prior JBIG2Decode Out-of-Bounds Read Vulnerability
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to an out-of-bounds
read vulnerability and the application crashing out.		 CVE-2019-19817
12.0.0.112 and prior JBIG2Decode Out-of-Bounds Read Vulnerability
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to an out-of-bounds
read vulnerability and the application crashing out.		 CVE-2019-19818
12.0.0.112 and prior JBIG2Globals Null Pointer Deference Vulnerability
A vulnerability exists when opening a specially crafted
malicious PDF document which can lead to a null pointer
deference vulnerability and the application crashing out.		 CVE-2019-19819
12.17.0.584 and prior Temporary debug.log file
In certain conditions (ie, an expired trial), a temporary
file "debug.log" may be created in the Nitro Pro working
directory. This debug.log file can be manipulated after
the application is closed in the normal manner.		 CVE-2019-19858

 

Solution

Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
13.8.2.140 Please update to the latest version of Nitro Pro 13 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Date: October 18, 2019

Last updated: 10/18/2019
Originally published: 10/18/2019

Update

Nitro are actively working to address several recently published potential vulnerabilities. Upon being made aware of their existence, we evaluated the accuracy of the claims, assessed the severity and likelihood any exploitation, and (based on our existing proactive vulnerability analysis and handling procedures) we then put the vulnerabilities into our remediation queue.

We are taking these vulnerabilities seriously and will be addressing them in an upcoming update. For additional information, you may contact security@gonitro.com.

Date: November 17, 2017

Last updated: 11/17/2017
Originally published: 11/17/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.6 and prior
10.5.9.14 and prior		 A vulnerability exists in the Doc.SaveAs function which
could be exploited by a specially crafted PDF file,
potentially leading to a File Write taking place outside
of the intended path.		 CVE-2017-7442
11.0.6 and prior
10.5.9.14 and prior		 A vulnerability exists in the Doc.SaveAs function which
could be exploited by a specially crafted PDF file,
potentially leading to a URL launch taking place in
conjunction with a Security Alert.		 CVE-2017-7442

 

Solution

Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10 Nitro is unable to fix this vulnerability in Nitro Pro 13. Please upgrade to the latest version of Nitro Pro 11 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Date: September 27, 2017

Last updated: 9/27/2017
Originally published: 9/27/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.5.271 and prior
10.5.9.14 and prior		 A memory write vulnerability that could potentially be
exploited when opening a specially crafted PDF file, with
a specific Count field, leading to memory corruption and
a crash. 		 CVE Pending
11.0.5.271 and prior
10.5.9.14 and prior		 A use-after-free vulnerability exists that could potentially
be exploited when opening a specially crafted PDF file
containing a malformed JPEG2000 image, leading to
memory corruption and a crash.		 CVE Pending

 

Solution

Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10 Nitro is unable to fix this vulnerability in Nitro Pro 13. Please upgrade to the latest version of Nitro Pro 11 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Date: July 21, 2017

Originally published: 7/21/2017

Last updated: 8/25/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.3.173 and prior
10.5.9.14 and prior		 An out of bound memory write vulnerability that could
potentially be exploited when opening a specially crafted
PDF file, leading to memory corruption and a crash.		 CVE-2017-2796
11.0.3.173 and prior
10.5.9.14 and prior		 A heap overflow vulnerability that could potentially be
exploited when opening a specially crafted PCX image
file, resulting in memory corruption and a crash.		 CVE-2017-7950

 

Solution

Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10 Nitro is unable to fix this vulnerability in Nitro Pro 13. Please upgrade to the latest version of Nitro Pro 11 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Date: August 25, 2017

Originally published: 2/3/2017

Last updated: 8/25/2017

Update

Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.

Affected Versions Vulnerability CVE
11.0.3.134 and prior
10.5.9.9 and prior		 A specially crafted PDF file can potentially cause
memory corruption leading to a crash.		 CVE-2016-8709
CVE-2016-8713
11.0.3.134 and prior
10.5.9.9 and prior		 A potential remote code execution vulnerability in the
PDF parsing functionality of Nitro Pro.		 CVE-2016-8711

 

Solution

Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.

Updated Version Availability
11.0.8.470 Please update to the latest version of Nitro Pro 11 available here
10.5.9.14+ Please update to the latest version of Nitro Pro 13 available here

For more information, please contact the Nitro Security Team at security@gonitro.com

Responsible Disclosure Policy

Nitro is proud to have required few historical Product Updates for security vulnerabilities. Keeping user information safe and secure is a top priority and a core company value for us at Nitro. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Nitro users.

Rewards

Nitro provides rewards for accepted vulnerability reports at its discretion. Our minimum reward is a $25 USD Amazon gift card. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. We reserve the right to determine amount or even whether a reward should be granted.

Applications in Scope

Nitro Pro, Nitro Sign and Nitro Admin applications are eligible for the bounty program. In addition, any cloud-based partner platform applications are also eligible (eg Nitro File Actions). We may still reward anything with significant impact across our entire security posture, so we encourage you to report such vulnerabilities via this program.

Security Vulnerability Reporting & Eligibility

All Nitro security vulnerabilities should be reported via email to the Nitro Security Team at security@gonitro.com. To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail, including the application name, version/build affected, concise steps to reproduce the vulnerability that are easily understood, information on the actual and potential impact of the vulnerability, and details of how it could be exploited;
  • Include a proof-of-concept file;
  • Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty reward since those are explicitly out of scope;
  • Give us a reasonable time to respond to the issue before making any information about it public;
  • Do not access or modify our data or our users’ data, without explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes;
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Nitro;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and
  • Otherwise comply with all applicable laws.

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Security Vulnerability Process

(1) Nitro will acknowledge and assess any vulnerability reported according to the instructions above, typically within 7 days.

(2) When a vulnerability is confirmed, Nitro will conduct risk analysis using the Common Vulnerability Scoring System (CVSS v3) and determine the most appropriate response for Nitro customers.

  • Critical Security Vulnerabilities: Issues within the software that, if not addressed, pose a high risk and probability of unauthorized access, alteration or destruction of information on a user's computer or connected computers. Nitro will resolve critical security vulnerabilities with a Product Update to the Current and Previous Release of Nitro Pro, and all cloud services, according to the Product Updates & Sunset Policy.
  • Non-Critical Security Vulnerabilities: Issues within the software that, if not addressed, pose a low to moderate risk and probability of unauthorized access, alteration or destruction of information on a user's computer or connected computers. Nitro at its discretion, will resolve Non-Critical Security Vulnerabilities with a Product Update to the Current Release of Nitro Pro only, and all cloud services according to the Product Updates & Sunset Policy.

(3) Nitro will design, implement & test a fix for all Critical Security Vulnerabilities, and provide a Product Update to customers, typically within 90 days.

(4) Nitro will publicly disclose all Critical Security Vulnerabilities, affected versions, and relevant details of Product Updates that address the issues, on this Nitro Security Updates page. Nitro does not publicly acknowledge individual security researchers for their submissions.

Out-of-Scope Security Vulnerabilities

The following issues are outside the scope of this policy & rewards program:

  • Attacks requiring physical access to a user's device.
  • Missing security headers which do not lead directly to a vulnerability.
  • Missing best practices (we require evidence of a security vulnerability).
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Social engineering of Nitro employees or contractors.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
  • Content spoofing and pure text injection vulnerabilities (where you can only inject text or an image into a page). We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty.
  • Nitro services unless you are able to hit private IPs or Nitro servers.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Nitro’s Security Vulnerability & Bug Bounty Policy, Nitro will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are Ineligible for rewards. Nitro employees and their family members are not eligible for any rewards.

In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Nitro reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.

For more information, please contact the Nitro Security Team at security@gonitro.com.