Moderate severityNVD Advisory· Published Oct 24, 2024· Updated Oct 25, 2024

OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project

CVE-2024-47882

Description

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to respondWithErrorPage. Version 3.8.3 has a fix for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenRefine versions before 3.8.3 have an XSS vulnerability in the error page because exception messages are not HTML-escaped, potentially allowing an attacker to execute JavaScript by convincing a victim to import a malicious project.

Vulnerability

The OpenRefine error page, displayed when an exception occurs, includes the exception message and stack trace without escaping HTML tags [1][3]. This means an attacker who can influence an error message (for example, by crafting a malicious file that causes an exception with an attacker-controlled message) can inject arbitrary HTML and JavaScript into the page when the victim views it [4]. The vulnerable code paths are in Command.respondWithErrorPage and HttpUtilities.respondWithErrorPage, which render the Velocity template error.vt [3]. The template directly includes $message and $stack variables without sanitization [3].

Exploitation

In the base OpenRefine product, the most plausible way to trigger an attacker-influenced error is by convincing a victim to import a malicious project file [1][4]. This could be delivered via a URL or uploaded file, as shown in the project's proof-of-concept (see reference [4] for the link). However, out-of-tree extensions may also call respondWithErrorPage in ways that could expose additional attack surfaces [1][4]. Note that errors reported as JSON responses are not affected because they are not interpreted as HTML by the browser [4].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the victim's browser within the context of the OpenRefine session [4]. The attacker's script can perform any action the victim is able to do, such as modifying projects, accessing data, or performing other operations available in the web interface. The impact is moderate, as it requires user interaction (importing a malicious project) and relies on the victim being logged into OpenRefine [1][4].

Mitigation

The vulnerability is fixed in OpenRefine version 3.8.3 [1][4]. Users should upgrade to this version or later. There is no mention of a workaround for older versions in the available references.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.openrefine:openrefineMaven	< 3.8.3	3.8.3

Affected products

Openrefine/Openrefinellm-fuzzy2 versions
<3.8.3+ 1 more
- (no CPE)range: <3.8.3
- (no CPE)range: < 3.8.3
ghsa-coords
pkg:maven/org.openrefine/openrefine
Range: < 3.8.3

Patches

85594e75e7b3

error page: escape error and stack trace

https://github.com/OpenRefine/OpenRefineAntonin DelpeuchAug 17, 2024via ghsa

commit

1 file changed · +4 −1

modules/core/src/main/java/com/google/refine/commands/HttpUtilities.java+4 −1 modified

@@ -36,6 +36,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.google.common.escape.Escaper;
+import com.google.common.html.HtmlEscapers;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.apache.velocity.VelocityContext;
 import org.slf4j.Logger;
@@ -197,7 +199,8 @@ static public void respondWithErrorPage(
         VelocityContext context = new VelocityContext();
 
         context.put("message", message);
-        context.put("stack", e == null ? "" : ExceptionUtils.getStackTrace(e));
+        Escaper escaper = HtmlEscapers.htmlEscaper();
+        context.put("stack", e == null ? "" : escaper.escape(ExceptionUtils.getStackTrace(e)));
 
         try {
             response.setStatus(status);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j8hp-f2mj-586gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-47882ghsaADVISORY
github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vtghsax_refsource_MISCWEB
github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2ghsax_refsource_MISCWEB
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586gghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000