CVE-2025-47424

Summary

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

Affected Software

VendorProductVersion RangeStatus
RetoolRetool3.18.1 <= 3.18.23affected
RetoolRetool3.20.1 <= 3.20.18affected
RetoolRetool3.22.1 <= 3.22.21affected
RetoolRetool3.24.1 <= 3.24.22affected
RetoolRetool3.26.4 <= 3.26.14affected
RetoolRetool3.28.3 <= 3.28.15affected
RetoolRetool3.30.1 <= 3.30.15affected
RetoolRetool3.32.1 <= 3.32.12affected
RetoolRetool3.33.1-stable <= 3.33.37-stableaffected
RetoolRetool3.52.1-stable <= 3.52.28-stableaffected
RetoolRetool3.75.1-stable <= 3.75.25-stableaffected
RetoolRetool3.114.1-stable <= 3.114.22-stableaffected
RetoolRetool3.148.1-stable <= 3.148.22-stableaffected

Weaknesses

  • CWE-348: CWE-348 Use of Less Trusted Source

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References