OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand
Description
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled Content-Type header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenRefine prior to 3.8.3 has a reflected XSS vulnerability in the export-rows command allowing arbitrary JavaScript execution.
Vulnerability
OpenRefine versions before 3.8.3 contain a reflected cross-site scripting (XSS) vulnerability in the export-rows command. The command reflects parts of the HTTP request verbatim in the response and allows an attacker to control the Content-Type header [1][3]. This enables an attacker to inject arbitrary JavaScript that will be executed in the victim's browser as if it originated from OpenRefine.
Exploitation
An attacker can craft a malicious web page that submits a form POST to an OpenRefine instance. The form sets the contentType parameter to text/html and the preview parameter to true, causing the browser to interpret the response as an HTML page containing the attacker's script [3]. The attacker must know a valid project ID of a project that contains at least one row [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's OpenRefine session. This can lead to unauthorized actions such as deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions if those extensions are enabled [1][3].
Mitigation
The vulnerability is fixed in OpenRefine version 3.8.3. The fix removes the ability to override the Content-Type header from the request and adds a Content-Security-Policy header that disables scripts and connections [4]. Users should upgrade to the latest version to protect against this vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.openrefine:openrefineMaven | < 3.8.3 | 3.8.3 |
Affected products
3<3.8.3+ 1 more
- (no CPE)range: <3.8.3
- (no CPE)range: < 3.8.3
Patches
18060477fa538export: Fix XSS vulnerability
1 file changed · +5 −6
main/src/com/google/refine/commands/project/ExportRowsCommand.java+5 −6 modified@@ -67,7 +67,8 @@ public class ExportRowsCommand extends Command { private static final Logger logger = LoggerFactory.getLogger("ExportRowsCommand"); /** - * This command uses POST but is left CSRF-unprotected as it does not incur a state change. + * This command uses POST but is left CSRF-unprotected as it does not incur a state change. TODO: add CSRF + * protection anyway, as it does not cost much and could still have prevented an XSS vulnerability */ @Deprecated(since = "3.9") @@ -105,11 +106,9 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) exporter = new CsvExporter('\t'); } - String contentType = params.get("contentType"); - if (contentType == null) { - contentType = exporter.getContentType(); - } - response.setHeader("Content-Type", contentType); + response.setHeader("Content-Type", exporter.getContentType()); + // in case the content-type is text/html, to avoid XSS attacks + response.setHeader("Content-Security-Policy", "script-src 'none'; connect-src 'none'"); String preview = params.get("preview"); if (!"true".equals(preview)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-79jv-5226-783fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47880ghsaADVISORY
- github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629dghsax_refsource_MISCWEB
- github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.