High severityNVD Advisory· Published Oct 24, 2024· Updated Oct 25, 2024

OpenRefine has a path traversal in LoadLanguageCommand

CVE-2024-49760

Description

OpenRefine is a free, open source tool for working with messy data. The load-language command expects a lang parameter from which it constructs the path of the localization file to load, of the form translations-$LANG.json. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenRefine prior to 3.8.3 has a path traversal vulnerability in its 'load-language' command allowing attackers to read arbitrary JSON files.

OpenRefine versions before 3.8.3 contain a path traversal vulnerability in the load-language command [1]. The command constructs a localization file path using a user-supplied lang parameter without verifying that the resulting path remains within the intended langs directory [4]. This allows an attacker to escape the directory by including ../ sequences in the lang parameter [3].

Exploitation requires sending a crafted HTTP request to the OpenRefine server with a malicious lang parameter, such as ../../../../etc/ [3][4]. The command does not require authentication, so any network-accessible OpenRefine instance is potentially vulnerable [4]. The attacker only needs to be able to reach the server, increasing the attack surface for exposed installations [4].

Successful exploitation results in unauthorized reading of any JSON file on the server's file system [1]. This could lead to disclosure of sensitive configuration data, user credentials, or other confidential information stored in JSON format [4]. No integrity or availability impact is expected [4].

The vulnerability is fixed in OpenRefine 3.8.3 [1]. The fix normalizes the constructed file path and ensures it starts with the langs directory path, rejecting attempts to traverse outside [3]. Users are strongly advised to update to the latest version or, if unable, restrict network access to the OpenRefine server [2][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.openrefine:openrefineMaven	< 3.8.3	3.8.3

Affected products

Openrefine/Openrefinellm-fuzzy2 versions
<3.8.3+ 1 more
- (no CPE)range: <3.8.3
- (no CPE)range: < 3.8.3
ghsa-coords
pkg:maven/org.openrefine/openrefine
Range: < 3.8.3

Patches

24d084052dc5

Prevent directory slip in LoadLanguageCommand

https://github.com/OpenRefine/OpenRefineAntonin DelpeuchOct 16, 2024via ghsa

commit

2 files changed · +18 −1

main/src/com/google/refine/commands/lang/LoadLanguageCommand.java+6 −1 modified

@@ -149,7 +149,12 @@ static ObjectNode loadLanguage(RefineServlet servlet, String strModule, String s
         ButterflyModule module = servlet.getModule(strModule);
         String strLangFile = "translation-" + strLang + ".json";
         String strMessage = "[" + strModule + ":" + strLangFile + "]";
-        File langFile = new File(module.getPath(), "langs" + File.separator + strLangFile);
+        File langsDir = new File(module.getPath(), "langs");
+        File langFile = new File(langsDir, strLangFile);
+        if (!langFile.toPath().normalize().toAbsolutePath().startsWith(langsDir.toPath().normalize().toAbsolutePath())) {
+            logger.error("Security: Attempt to escape the langs directory to read another file");
+            return null;
+        }
         FileInputStream fisLang = null;
 
         try {

main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java+12 −0 modified

@@ -100,6 +100,18 @@ public void testLoadNullLanguage() throws JsonParseException, JsonMappingExcepti
         assertEquals(response.get("lang").asText(), "en");
     }
 
+    @Test
+    public void testLoadLanguageWithDirectorySlip() throws JsonParseException, JsonMappingException, IOException, ServletException {
+        when(request.getParameter("module")).thenReturn("core");
+        when(request.getParameterValues("lang")).thenReturn(new String[] { "../../../secrets" });
+
+        command.doPost(request, response);
+
+        JsonNode response = ParsingUtilities.mapper.readValue(writer.toString(), JsonNode.class);
+        assertTrue(response.has("dictionary"));
+        assertEquals(response.get("lang").asText(), "en");
+    }
+
     @Test
     public void testLanguageFallback() throws JsonParseException, JsonMappingException, IOException {
         String fallbackJson = "{"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qfwq-6jh6-8xx4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-49760ghsaADVISORY
github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20cghsax_refsource_MISCWEB
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000