Embedded PDF binary metadata (XMP/DocumentInfo) persists after download despite removing all AEM-managed metadata

Question

A third-party penetration test flagged that PDF files downloaded from our AEM publish instance contain embedded metadata revealing software version information (e.g., Adobe InDesign 19.5, Adobe PDF Library 17.0, Adobe XMP Core 9.1). The security team requires this metadata to be stripped before the file is served to end users.

We are requesting Adobe's official confirmation that AEM as a Cloud Service does not modify or strip metadata embedded within the binary content of uploaded DAM assets, and guidance on the recommended approach.

What We Tried

1. Removed XMP metadata properties from the JCR metadata node

2. Deleted the entire metadata node

SubbaraoGa1 · Accepted Answer

Hello ​@JavedZiWe confirm that AEM as a Cloud Service does not remove metadata already embedded within the original uploaded PDF binary.Removing properties from the asset metadata node in AEM changes repository metadata only and doesnotsanitize the PDF file itself.If embedded metadata must be removed before the file is delivered to end users, the PDF must be sanitized or rewritten before delivery, for example before upload or through a custom processing workflow that generates a sanitized rendition for public use.https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/assets/manage/manage-metadatahttps://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/assets/dynamicmedia/dynamic-media-open-apis/deliver-assets-apis

What We Tried

1. Removed XMP metadata properties from the JCR metadata node

2. Deleted the entire metadata node

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded