CVE-2024-47881

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the database extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

Published: Oct 24, 2024
Updated: May 4, 2025
CVE: CVE-2024-47881
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
openrefine / openrefine	3.4	3.8.3

https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8

Vulnerability Database

CVE-2024-47881