PDF Structural Problems
in AI Ingestion Pipelines

1. Scale Context
2. The V/AP Structural Problem
3. NeedAppearances Compounds the Problem
4. Parser Disagreement: Six Parsers, Eleven Files
5. Methodology and Reproducibility
6. What This Means for AI Pipelines
7. The Core Architectural Mismatch
8. Ingestion Corruption vs. Adversarial Injection
9. Growth Projections
10. What the Spec Does and Does Not Address
11. Scope Note
12. References

The Structural Problem That AI Ingestion Inherits

PDF AcroForm fields have two independent data stores that have no obligation to agree with each other.

/V is the machine-readable field value. JavaScript reads it. Form submissions post it. Digital signatures include it in their byte-range hash.

/AP (specifically /AP /N) is an appearance stream — a self-contained PDF content stream that the viewer renders as pixels. It is what the human sees on screen.

These two stores are not derived from each other. A PDF author can set /V to $12,000.00 and author an /AP stream that renders $1,200.00. Both values coexist in the same file. A digital signature can certify the entire byte range covering both, and the signature remains cryptographically valid. The signed content and the displayed content structurally disagree inside the same certified byte range.

This is called the V/AP problem. It was documented academically in Mainka, Mladenov, Rohlmann, and Schwenk, “Shadow Attacks: Hiding and Replacing Content in Signed PDFs,” NDSS/CCS 2021, which identified three attack classes (Hide, Hide-and-Replace, Replace) exploiting the gap between the signed byte range and what the viewer renders. The disclosure reached 28 PDF viewer vendors and produced patches from Adobe, Foxit, LibreOffice, and others. An earlier research series by Müller, Mladenov, Somorovsky, and Schwenk (2017–2019) at pdf-insecurity.org systematically mapped signature-validation weaknesses across major PDF viewers, establishing the framework that the Shadow Attack work built on. The V/AP structural separation is a consequence of the format’s design, not a defect that can be patched at the specification level.

In operational contexts, this class of discrepancy is directly applicable to invoice fraud and document-centric financial workflows: an automated payment system reads /V while the human reviewer sees what /AP renders, producing a gap between the displayed and processed values that survives signature validation intact. No modification of the signature byte range is required, and no viewer warning is produced.

NeedAppearances Compounds the Problem

There is a flag in the AcroForm dictionary called /NeedAppearances. When set to true, it instructs every PDF viewer to discard the stored appearance streams and regenerate them from /V field values at document open time. This is legitimate in programmatic form-fill workflows where appearance regeneration is deferred for performance reasons — DocuSign uses it, mail-merge pipelines use it.

When combined with a digital signature, the consequence is structural: the byte-range hash covers the /AP streams stored on disk at signing time. The viewer then regenerates the appearance from /V after opening.

What later viewers render may not be identical to the originally signed appearance state — and the document provides no mechanism to detect this. The signature is still valid. ISO 32000-2 is aware of this behaviour and does not classify it as a specification defect.

For AI ingestion pipelines this creates a specific fork: a parser reading /AP as the display value reads appearance data that was stale at signing time and was never shown to any human reviewer. A parser reading /V reads the field value. Whether those two agree is unknown at ingestion time unless the pipeline explicitly checks.

The PQPDF V/AP research validated static detection across 196 PDFs including 44 IRS tax forms, 102 Corkami adversarial proof-of-concept files, 29 arXiv papers, and 4 federal legislative publications. Detection rate on 8 hand-crafted positive cases: 8/8. False positive rate on 187 negatives: 0/187. These are validation corpus results on a specific hand-crafted test set; they characterize the detector’s behavior on those cases and are not a claim of universal detection effectiveness across the PDF ecosystem.

For comparison: pikepdf detects 2 of the 5 V/AP indicator types. pdfminer.six detects 0. Neither library was built for this. Neither library is presenting itself as having built for this. The gap is not a criticism of those libraries; it is an accurate statement of what is and is not detected in the standard PDF ingestion toolchain.

Parser Disagreement: Six Parsers, Eleven Conflicting Accounts of the Same File

The V/AP problem concerns disagreement between two data stores within a single file. The parser disagreement problem concerns what happens when different parsers each read a single file and return different answers about what it contains.

The PQPDF parser disagreement research constructed 11 minimal hand-crafted PDFs deliberately targeting structural ambiguities in the PDF specification — areas where the spec is underspecified, contradictory, or leaves parser behaviour to implementer discretion.

Each file was run through six production-grade parsers in parallel: MuPDF (mutool), Poppler (pdfinfo), Ghostscript (nullpage render), qpdf, pdfminer.six, and pdf.js/Node. Under these ambiguity conditions, every file produced at least one confirmed cross-parser disagreement. Seven of eleven triggered critical-severity findings on JavaScript visibility, encryption status, or page count.

This does not mean all normal, well-formed PDFs produce major parser disagreement. It means these specific structural ambiguities, when present in a document, reliably do — and the document reaching an ingestion pipeline has no obligation to announce their presence.

Selected results:

These are not exotic attack scenarios requiring specialized exploit development. Each file is between 349 and 798 bytes, built from raw bytes without any PDF library, targeting ambiguities that exist in the PDF specification itself. ISO 32000-1 and ISO 32000-2 leave the following behaviors underspecified or contradictory: the precedence of /Count versus structural traversal; the semantics of /V 0 encryption dictionaries; the minimum incremental update chain depth a conforming reader must process for metadata extraction; and the scope of /Version catalog overrides in feature-gating contexts.

Methodology and Reproducibility

The claims in this article derive from two primary research pages, each of which publishes full methodology. This section summarises the key details; full commands, raw scanner output, and individual file results are in the linked sources.

Parser Disagreement: File Construction and Parser Commands

The 11 test PDFs were written by hand in Python without calling any PDF library. Each file was built from raw bytes with byte-accurate cross-reference tables, targeting one ambiguity per file. Files range from 349 to 798 bytes. No fonts, no images, no embedded content beyond the specific structural feature under test. All six parsers ran on the same Linux server against the same file path with no network calls and no sandboxing differences between parsers. The only variable is the parser.

Full per-file results including verbatim scanner output: pdf-parser-disagreement.php

V/AP Detection: The Five Checks

All five checks operate on the raw PDF object model without rendering or OCR. They are implemented in the PQPDF scanner’s AcroForm field analysis module and their findings feed into a weighted multi-module correlation layer alongside signature forensics and behavioural sandbox results.

1. /NeedAppearances detection — regex match against the AcroForm dictionary. Presence alone is medium severity; presence combined with a digital signature (/Sig field) escalates to critical.
2. Checkbox / radio /V vs /AS comparison — a pure string comparison of two name objects in the widget annotation dictionary. If /V /Yes and /AS /Off, the field appears unchecked to the viewer while the machine-readable value is checked.
3. AP stream text extraction — decompress the /AP /N content stream; parse Tj/TJ operators; PDF-unescape and whitespace-normalise; compare to /V with hex-string decoding (bytes.fromhex(), UTF-16BE BOM detection) and /Opt export-value resolution for listbox / combobox fields.
4. Blank AP stream detection — the /AP /N content stream decompresses to an empty or whitespace-only byte sequence; the field is covered by any signature but renders blank to the viewer.
5. Missing AP detection — the widget annotation has no /AP key at all; the viewer must synthesise a default appearance, which may not match /V.

V/AP Validation Corpus

196 PDFs were submitted to the scanner across six categories. All predictions for positive test files were stated before scanning. One scan error occurred (blank-AP edge case); it is not counted in the denominator.

These are validation corpus results on a specific hand-crafted test set with a known-positive class. They characterise detector behaviour on those cases and are not a claim of universal detection effectiveness across the broader PDF ecosystem. Corpus and generation scripts are available from the authors on request. Full methodology including exact scoring weights, AcroForm module implementation detail, and per-file verbatim output: pdf-form-security.php

What This Means for AI Pipelines Specifically

When a RAG pipeline ingests a PDF where two parsers disagree on page count, the knowledge base contains different content than what a human reader opens in their viewer. Test 2 in the PQPDF corpus demonstrates this directly: four parsers report 3 pages, two report 2. The one-page gap is not benign if the missing page contains material relevant to a query the RAG system will later answer.

Incremental update attacks (demonstrated in Tests 5, 6, and 9 of the PQPDF research) are a known vector for document fraud: a signed PDF is modified via an incremental update without invalidating the digital signature. If the ingestion tool reads only the base revision, it indexes the original unmodified content as authoritative, even though the document has been altered post-signing.

Patent documents frequently combine scanned page images with a selectable-text overlay added by the patent office OCR pipeline. Different parsers diverge on whether to read the overlay text, attempt independent OCR on the image layer, or report no text at all. The same patent can produce thousands of words from one extractor and zero from another.

Multi-column scientific papers produce a different failure: parsers extract text in different reading orders, yielding different token sequences from the same document and delivering different context to the LLM.

Legal contracts with redactions expose a different failure class. Some redaction tools draw visual rectangles over text objects without removing the underlying text from the PDF structure. A parser reading the visual layer sees a redacted document. A parser reading the object tree recovers the original unredacted text. This has affected court filings in publicized cases and applies directly to any legal knowledge base populated by PDF ingestion.

Ingestion Corruption vs. Adversarial Injection: Two Distinct Problems

These failure modes need precise labels because the defenses and the evidence base are different for each.

Accidental ingestion corruption is the dominant case and requires no attacker. It happens when a knowledge base ingests a PDF corpus using a single parser without V/AP or parser-disagreement checks. The ingested values may be wrong not because anyone intended them to be, but because the extraction layer resolved a structural ambiguity differently than the document’s author intended or than the display layer renders. The downstream LLM receives incorrect facts, operates on them, and produces incorrect outputs with normal confidence. Developer reports consistently describe this class of problem: extraction inconsistency, layout destruction across columns, OCR divergence on scanned overlays, and page count mismatches even without any malicious input. This is silent extraction failure at scale, not adversarial attack.

Adversarial hidden-context injection is a structurally grounded capability, but evidence for its active exploitation specifically via PDF structural mechanisms in LLM pipelines remains limited in public disclosures. The parser disagreement research identifies the mechanism: a PDF where the visual rendering layer shows benign content while the extraction layer returns additional or different content can deliver natural-language instruction text to an LLM’s context window that never appeared in any human reviewer’s inspection of the document. No exploit code is required — only knowledge of the specification and which parser makes which choice at each structural ambiguity. The adversarial content can be embedded in a compressed stream, an incremental update, or a content layer that only some parsers surface.

Research confirms document-level injection is an active area broadly: a November 2025 preprint documented that five carefully crafted documents can manipulate AI responses 90% of the time through RAG document injection (generic document manipulation, not PDF-structural specifically). The MDPI paper on prompt injection in LLMs (January 2026) documents that adversarial documents can be positioned to match target queries while containing malicious content invisible to text-based inspection. The V/AP mechanism adds a specific subclass: /V contains adversarial content while /AP renders legitimate-looking content to human reviewers. Whether this specific subclass is being actively exploited in production pipelines is not currently documented in public disclosures.

The accidental corruption case is the more prevalent problem today and requires no adversary. The adversarial injection case is a real structural capability that requires an attacker with specific knowledge of the target pipeline’s parser choices. Both are real. They require different defenses. Conflating them overstates the adversarial threat while underselling the much larger accidental-corruption problem that affects every single-parser ingestion pipeline right now.

Growth Projections and Trajectory

The scale of PDF ingestion is not decreasing. The AI training dataset market is projected to grow from $3.2 billion in 2025 to $16.3 billion by 2033 (Grand View Research^[7] — industry analyst forecast). Text datasets represent the largest segment within that market: $1.29 billion measured in 2025, projected to $2.12 billion by 2028 (ibid.).

FinePDFs (3 trillion tokens from 475 million documents) is a public dataset with a documented release date and verifiable size.^[6] Production training pipelines at major labs are not public. The FinePDFs scale provides a reference point for the lower bound of PDF-token ingestion at public-dataset scale.

RAG deployment numbers come from multiple sources of varying independence. Vectara, a RAG platform vendor, reported enterprises choosing RAG for 30–60% of high-accuracy use cases (January 2025^[8] — vendor prediction). Grand View Research measured the document retrieval segment at 32.4% of global RAG revenue in 2024.^[7] Menlo Ventures, a venture capital firm, reported enterprise generative AI spending at $37 billion in 2025, up 3.2x from $11.5 billion in 2024, based on an enterprise survey.^[9] These figures are self-reported or analyst-estimated; they are included as directional context, not verified measurements.

In that context, the PDF structural problems described above are not niche edge cases. They are present in the dominant document format feeding the dominant enterprise AI architecture during a period of 3x annual spending growth. The extraction layer is not keeping pace with the deployment layer.

What the Spec Does and Does Not Address

ISO 32000-2:2020 is aware of the V/AP structural separation. The spec does not classify it as a defect. The /NeedAppearances behavior — where signed bytes cover stale appearance streams and viewers regenerate from /V at open time — is documented as a consequence of the format’s design.

The incremental update processing ambiguities (how deep must a conforming reader follow the xref chain; what constitutes a permitted modification under DocMDP P=2) are not fully resolved in the current specification. The parser disagreement research specifically identifies four areas where tightened normative language in ISO 32000 and ISO 19005 would reduce parser divergence: the precedence of /Count versus structural traversal; the semantics of /V 0 encryption dictionaries; the minimum update-chain depth for metadata extraction; and the normative treatment of /Version catalog overrides in feature-gating contexts.

PDF/A (ISO 19005) mandates that conforming files be renderable consistently across readers. Parser disagreement on page count or document structure challenges the interoperability guarantees PDF/A aims to provide. A PDF/A archival tool validating a file using MuPDF may report conformance while a Poppler-based reader renders additional content from an incremental update that MuPDF does not surface. PDF/UA (ISO 14289) accessibility compliance similarly becomes parser-dependent rather than document-dependent when the underlying parsers disagree on content.

Scope Note

The V/AP and parser-disagreement problems are not the dominant PDF threat class in terms of raw volume. Most malicious PDFs observed in the wild are credential-harvesting overlays and social engineering lures that do not touch AcroForm field structure at all. Those are URL reputation and static JavaScript problems. V/AP divergence matters for signed documents carrying legal or financial authority — contracts, invoices, regulatory filings — where the gap between what a human sees and what a machine processes has direct operational consequences. Parser disagreement matters for any single-parser ingestion pipeline operating on a document corpus where content accuracy is required.

Both classes are real. They require different tools. The same pipeline cannot address them with the same check.

References

Source types are labelled: peer-reviewed, industry analyst forecast, vendor report/prediction, VC survey, specification, or primary research. Market forecasts are analyst projections, not independently verified measurements.

1. Mainka, C., Mladenov, V., Rohlmann, S., Schwenk, J. “Shadow Attacks: Hiding and Replacing Content in Signed PDFs.” NDSS Symposium 2021 / ACM CCS 2021. (peer-reviewed)
2. Müller, J., Mladenov, V., Somorovsky, J., Schwenk, J. PDF Insecurity series, 2017–2019. pdf-insecurity.org (peer-reviewed / disclosed research)
3. ISO 32000-2:2020. Document management — Portable Document Format — Part 2: PDF 2.0. §12.8.2.2 (DocMDP), §12.7.3 (AcroForm), §12.7.4 (Field types and /V semantics). (specification)
4. PQ PDF. “PDF Forms as Executable Security Boundaries: V/AP Divergence, DocMDP, and What Gets Certified.” Published 24 May 2026. pqpdf.com/pdf-form-security.php (primary research — this site)
5. PQ PDF. “PDF Parser Disagreement: Six Parsers, Eleven Divergences.” Published 20 May 2026. pqpdf.com/pdf-parser-disagreement.php (primary research — this site)
6. Hugging Face. FinePDFs dataset. 475 million documents, 3 trillion tokens. Released September 2025. huggingface.co/datasets/HuggingFaceFW/finepdfs (public dataset — verifiable)
7. Grand View Research. “AI Training Dataset Market Size, Share & Trends Analysis Report, 2026–2033.” CAGR 22.6%, projected $16.32 billion by 2033. (industry analyst forecast — paywalled; independent verification not available)
8. Vectara. “Enterprise RAG Predictions for 2025.” January 2025. vectara.com/blog/top-enterprise-rag-predictions (vendor report — Vectara is a RAG platform; treat as industry prediction, not independent measurement)
9. Menlo Ventures. Enterprise generative AI spending survey, 2025. (VC-firm enterprise survey — methodology not independently verified)
10. Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review. MDPI Information, vol. 17, issue 1. Published January 2026. mdpi.com/2078-2489/17/1/54 (peer-reviewed survey)
11. Preprints.org. “Prompt Injection Attacks in Large Language Models.” Posted November 2025. preprints.org/manuscript/202511.0088/v1 (preprint — not peer-reviewed at time of citation)
12. CVE-2021-28550 (APSB21-29): AcroForm + getField/setFocus JavaScript, use-after-free, CVSS 8.8. (NVD / Adobe advisory)
13. CVE-2021-21017 (APSB21-09): XFA heap buffer overflow, exploited in the wild, CVSS 8.8. (NVD / Adobe advisory)
14. CVE-2024-45112 (APSB24-70): XFA/AcroForm type confusion, CVSS 8.6. (NVD / Adobe advisory)
15. CVE-2023-21608 (APSB23-01): Use-after-free via AcroForm event.target JavaScript, CVSS 7.8. (NVD / Adobe advisory)
16. MITRE ATT&CK T1566.001: Phishing: Spearphishing Attachment. attack.mitre.org/techniques/T1566/001/
17. Stevens, D. PDF analysis tools: pdfid.py, pdf-parser.py. blog.didierstevens.com/programs/pdf-tools/
18. McKinsey & Company. “The state of AI: How organizations are rewiring to capture value.” McKinsey Global Survey, 2025. (consulting-firm survey — methodology available on request from McKinsey; 71% figure from the 2025 edition of their annual AI adoption survey)