Table of Contents
Fetching ...

X-raying the arXiv: A Large-Scale Analysis of arXiv Submissions' Source Files

Giovanni Apruzzese, Aurore Fass

TL;DR

The paper addresses the privacy and storage implications of arXiv’s publicly downloadable TeX source files by performing a large-scale, longitudinal analysis of ~${6\times 10^5}$ submissions from 2015–2025. It introduces BaRDE, a Bulk arXiv Residual Data Extractor, to automatically identify residual data not needed to compile the final PDF, finding about $584$ GB of residual data (roughly $27\%$ of TeX project data) that has grown since 2020. Beyond quantification, the study qualitatively reveals sensitive and problematic content within residual data, including offensive language, undisclosed data links, and private documents, prompting outreach to arXiv and affected authors. The results motivate concrete recommendations for arXiv to reduce exposure (e.g., opt-in source-file sharing, clearer warnings) and to improve data hygiene in scientific repositories. Collectively, the work highlights a public-data privacy risk in open-access platforms and demonstrates a scalable approach to auditing source-file hygiene at scale.

Abstract

arXiv is the largest open-access repository for scientific literature. When submitting a paper, authors upload the manuscript's source files, from which the final PDF is compiled. These source files are also publicly downloadable, potentially exposing data unrelated to the published paper -- such as figures, documents, or comments -- that may unintentionally reveal confidential information or simply waste storage space. We thus ask ourselves: "What can be found within the source files of arXiv submissions?" We present a longitudinal analysis of ~600,000 submissions appeared on arXiv between 2015--2025. For each submission, we examine the uploaded source files to quantify and characterize data not required for producing the respective PDF. On average, 27% of the data in each submission are unnecessary, totaling >580 GB of redundant content across our dataset. Qualitative inspection reveals the presence of offensive/inappropriate text (e.g., "WTF does this mean?") and experimental details that could disclose ongoing research. We have contacted arXiv's leadership team, as well as the authors of affected papers to alert them of these issues. Finally, we propose recommendations and an automated tool to detect and analyze arXiv submissions residual data at scale, aiming to improve data hygiene in the arXiv's ecosystem.

X-raying the arXiv: A Large-Scale Analysis of arXiv Submissions' Source Files

TL;DR

The paper addresses the privacy and storage implications of arXiv’s publicly downloadable TeX source files by performing a large-scale, longitudinal analysis of ~ submissions from 2015–2025. It introduces BaRDE, a Bulk arXiv Residual Data Extractor, to automatically identify residual data not needed to compile the final PDF, finding about GB of residual data (roughly of TeX project data) that has grown since 2020. Beyond quantification, the study qualitatively reveals sensitive and problematic content within residual data, including offensive language, undisclosed data links, and private documents, prompting outreach to arXiv and affected authors. The results motivate concrete recommendations for arXiv to reduce exposure (e.g., opt-in source-file sharing, clearer warnings) and to improve data hygiene in scientific repositories. Collectively, the work highlights a public-data privacy risk in open-access platforms and demonstrates a scalable approach to auditing source-file hygiene at scale.

Abstract

arXiv is the largest open-access repository for scientific literature. When submitting a paper, authors upload the manuscript's source files, from which the final PDF is compiled. These source files are also publicly downloadable, potentially exposing data unrelated to the published paper -- such as figures, documents, or comments -- that may unintentionally reveal confidential information or simply waste storage space. We thus ask ourselves: "What can be found within the source files of arXiv submissions?" We present a longitudinal analysis of ~600,000 submissions appeared on arXiv between 2015--2025. For each submission, we examine the uploaded source files to quantify and characterize data not required for producing the respective PDF. On average, 27% of the data in each submission are unnecessary, totaling >580 GB of redundant content across our dataset. Qualitative inspection reveals the presence of offensive/inappropriate text (e.g., "WTF does this mean?") and experimental details that could disclose ongoing research. We have contacted arXiv's leadership team, as well as the authors of affected papers to alert them of these issues. Finally, we propose recommendations and an automated tool to detect and analyze arXiv submissions residual data at scale, aiming to improve data hygiene in the arXiv's ecosystem.
Paper Structure (45 sections, 10 figures, 9 tables)

This paper contains 45 sections, 10 figures, 9 tables.

Figures (10)

  • Figure 1: An arXiv submission. Clicking on " TeX Source" allows anyone to download the source files of this paper.
  • Figure 2: Snippet of files extracted from a "chunk".We show the first 10 files (alongside their size and last modification), each denoting a specific submission, of the first "chunk" of January 2025 taken from S3.
  • Figure 3: Overview of our research. We downloaded our dataset in May--July 2025. We reached out to arXiv and to authors of "problematic" submissions in August 2025. We will wait at least 90 days (in line with best practices projectzero) before disseminating our findings.
  • Figure 4: BaRDE pseudocode (extended in Algorithm \ref{['alg:ext']})
  • Figure 5: Distribution of projects with size of $\mathcal{F}$$\geq$1KB (count: 285,582). Some projects (38) have more than 100MB worth of $\mathcal{F}$.
  • ...and 5 more figures