CVE-2025-47424
Self-hosted deployments of Retool missing the BASE_DOMAIN environment variable may in some cases be vulnerable to host header injections. All vulnerable versions can be remediated immediately by properly setting the BASE_DOMAIN environment variable to the full URL of the deployment, such as https://retool.example.com. Beginning with 3.196.0, this environment variable will be required for an instance on boot.
| Disclosure | Details |
|---|---|
| Vulnerability Type | CWE-1289: Improper Validation of Unsafe Equivalence in Input. |
| Vendor of Product | Retool. |
| Affected Product Code Base | View affected release versions. |
| Affected Component | Self-hosted Retool organizations. |
| Attack Type | Remote. |
| Impact | Escalation of Privileges. |
| CVSS 3.x Base Score | 7.1 |
| CVSS 3.x Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C |
| CVSS 4.x Base Score | 5.3 |
| CVSS 4.x Vector | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/R:U |
| Reference | https://docs.retool.com/releases |
| Discoverer | Robinhood Red Team and Doyensec |
| Fixed Version | 3.196.0+ |
Is my version of Retool affected?
All current Retool on-prem instances that have not yet disabled password based authentication may be vulnerable (this is easily checked by verifying that there is no form to login with a password when opening up Retool.) If password auth has not been disabled, your Retool instance is potentially vulnerable if all of the following apply to you:
- You do not have the BASE_DOMAIN environment variable set.
- Your Retool instance is reachable without any request filtering based on the Host header. This is likely the case if you’re not using a reverse proxy or that reverse proxy forwards requests for all domains.
- A user in your instance solely relies on password based authentication. This is the case when all of the following apply
- You have the Disable Login with Email and Password setting disabled
- You have not enforced Two Factor Authentication
- A user in your instance does not have a second factor authentication configured.
Affected release versions
| Release | Release versions |
|---|---|
| 3.18 | 3.18.1 to 3.18.23 |
| 3.20 | 3.20.1 to 3.20.18 |
| 3.22 | 3.22.1 to 3.22.21 |
| 3.24 | 3.24.1 to 3.24.22 |
| 3.26 | 3.26.4 to 3.26.14 |
| 3.28 | 3.28.3 to 3.28.15 |
| 3.30 | 3.30.1 to 3.30.15 |
| 3.32 | 3.32.1 to 3.32.12 |
| 3.33 | 3.33.1-stable to 3.33.37-stable |
| 3.52 | 3.52.1-stable to 3.52.28-stable |
| 3.75 | 3.75.1-stable to 3.75.25-stable |
| 3.114 | 3.114.1-stable to 3.114.22-stable |
| 3.148 | 3.148.1-stable to 3.148.22-stable |
Notification Update: 2025-05-09
An email to customers sent on 2025-05-09 incorrectly described which Retool instances are affected. The section on affected versions should instead be Is my version of Retool affected?.