Dear OpenRefine Team,
I am writing to report a security vulnerability affecting OpenRefine and to request information about a potential patch or update.
Environment Details:
- OpenRefine Version: 3.9.5 (latest available)
- Operating System: Microsoft Windows Server 2019 Datacenter Build 17763
- Server: Analytics - Azure - NEU
Vulnerability Details:
Our security scan has identified that OpenRefine contains an outdated Apache Log4j Core library vulnerable to CVE-2025-68161, which affects man-in-the-middle (MitM) attack scenarios through missing TLS hostname verification in the Socket Appender component.
- CVE: CVE-2025-68161
- CVSS Score: 4.8 (Medium Severity)
- Nessus Plugin ID: 282519
- Current Log4j Version: 2.24.3
- Required Version: 2.25.3 or later
Affected File:
Path: C:\Program Files\OpenRefine\server\target\lib\log4j-core-2.24.3.jar
Installed version: 2.24.3
Fixed version: 2.25.3
Vulnerability Summary:
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of peer certificates, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true. This may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
- The attacker is able to intercept or redirect network traffic between the client and the log receiver
- The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender's configured trust store (or by the default Java trust store if no custom trust store is configured)
Request: