The Chat component is now the LLM Chat component
Retool renamed the Chat component to LLM Chat to provide more clarity on the purpose of the component. No user action is required.
Changelog
Updates, changes, and improvements at Retool.
Refer to the stable and edge release notes for detailed information about self-hosted releases.
Tags
Tags
CVE-2025-47424
Self-hosted deployments of Retool missing the BASE_DOMAIN environment variable may in some cases be vulnerable to host header injections. All vulnerable versions can be remediated immediately by properly setting the BASE_DOMAIN environment variable to the full URL of the deployment, such as https://retool.example.com. Beginning with 3.196.0, this environment variable will be required for an instance on boot.
| Disclosure | Details |
|---|---|
| Vulnerability Type | CWE-1289: Improper Validation of Unsafe Equivalence in Input. |
| Vendor of Product | Retool. |
| Affected Product Code Base | View affected release versions. |
| Affected Component | Self-hosted Retool organizations. |
| Attack Type | Remote. |
| Impact | Escalation of Privileges. |
| CVSS 3.x Base Score | 7.1 |
| CVSS 3.x Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C |
| CVSS 4.x Base Score | 5.3 |
| CVSS 4.x Vector | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/R:U |
| Reference | https://docs.retool.com/releases |
| Discoverer | Robinhood Red Team and Doyensec |
| Fixed Version | 3.196.0+ |
Is my version of Retool affected?
All current Retool on-prem instances that have not yet disabled password based authentication may be vulnerable (this is easily checked by verifying that there is no form to login with a password when opening up Retool.) If password auth has not been disabled, your Retool instance is potentially vulnerable if all of the following apply to you:
- You do not have the BASE_DOMAIN environment variable set.
- Your Retool instance is reachable without any request filtering based on the Host header. This is likely the case if you’re not using a reverse proxy or that reverse proxy forwards requests for all domains.
- A user in your instance solely relies on password based authentication. This is the case when all of the following apply
- You have the Disable Login with Email and Password setting disabled
- You have not enforced Two Factor Authentication
- A user in your instance does not have a second factor authentication configured.
Affected release versions
| Release | Release versions |
|---|---|
| 3.18 | 3.18.1 to 3.18.23 |
| 3.20 | 3.20.1 to 3.20.18 |
| 3.22 | 3.22.1 to 3.22.21 |
| 3.24 | 3.24.1 to 3.24.22 |
| 3.26 | 3.26.4 to 3.26.14 |
| 3.28 | 3.28.3 to 3.28.15 |
| 3.30 | 3.30.1 to 3.30.15 |
| 3.32 | 3.32.1 to 3.32.12 |
| 3.33 | 3.33.1-stable to 3.33.37-stable |
| 3.52 | 3.52.1-stable to 3.52.28-stable |
| 3.75 | 3.75.1-stable to 3.75.25-stable |
| 3.114 | 3.114.1-stable to 3.114.22-stable |
| 3.148 | 3.148.1-stable to 3.148.22-stable |
Notification Update: 2025-05-09
An email to customers sent on 2025-05-09 incorrectly described which Retool instances are affected. The section on affected versions should instead be Is my version of Retool affected?.
Tags
Improvements to Source Control for workflows
Available on Retool Cloud and in self-hosted Retool 3.200.0 or later.
Improvements to source control on Workflows are now generally available on Self-hosted Retool 3.200.0-edge and in the upcoming stable release. The following features are now supported for all users on Enterprise plans:
Retool made several improvements to the usage of Source Control with Retool Workflows. The following features are now supported on Enterprise plans:
- Branched changes. You can now make changes to workflows using branches. Previously, all Source Control changes on workflows were branchless.
- Multi-element branching. You can make edits to workflows on the same branch as edits to apps, modules, and Query Library queries.
- Collaborative branches. Multiple users can commit changes and merge pull requests on collaborative branches.
This feature was previously released as generally available for cloud instances and as closed beta for self-hosted instances.
Tags
Google Calendar integration
Google Calendar Integration is currently in public beta on Retool Cloud and on Self-hosted Retool.
Retool now supports an integration to the Google Calendar API. Use this integration in combination with the Calendar or Timeline components to interact with calendars and events.
Refer to the Calendar guide for information on how to use this resource with the Calendar component.
Tags
Google Docs integration
Google Docs Integration is currently in public beta on Retool Cloud and on Self-hosted Retool.
Retool now supports an integration to Google Docs, which utilizes the Google Docs API and the Google Drive API. Use this integration to retrieve, create, and update documents.
Tags
Record user sessions with Fullstory
Session replay integration is currently in public beta on Retool Cloud and on Self-hosted Retool 3.196.0 or later.
Retool can record user behavior and interactions with apps using Fullstory. When enabled, data about user interactions with apps are reported directly to Fullstory for you to review in detail. You can then analyze app analytics, evaluate impact, and review interactions with session replay. This integration is useful for monitoring user activity across different apps, and using advanced analytical tools like heatmaps and funnels to identify usage patterns, debug errors, and improve the overall user experience.
Tags
Backend runtime upgraded to Node.js v20.18 in self-hosted Retool 3.163
The backend runtime in self-hosted Retool 3.163 and later has been upgraded to use Node.js v20.18. This change may result in memory and CPU usage of containers to increase. Without sufficient resources, this could impact the performance of Retool Workflows. If necessary, you can increase the memory limits for workflows using the WORKFLOW_MEMORY_LIMIT_MBS environment variable.
Tags
Disable catch-up commits in Source Control
Available on Retool Cloud and in self-hosted Retool 3.196 or later.
If your organization uses Source Control, Retool sometimes creates an automatic commit, called a catch-up commit, which keeps your branches up to date. If you want to ensure that developers in your organization retain complete control of changes within their feature branches, you can now disable catch-up commits using the following steps:
- Navigate to Settings > Source Control and click the Edit Settings button on the top right.
- Toggle on the Disable auto catch up commits setting.
If you disable catch-up commits, users in your organization must manually, outside of Retool, rebase their branch and resolve conflicts in order to keep their branch up to date.
To avoid issues with catch-up commits and other merge control mechanisms, refer to Retool's Merge conflict prevention strategies.
Tags
Multi-step functions
Available on Retool Cloud and in self-hosted Retool 3.191 or later.
Multi-step functions are now generally available in Retool Workflows. They operate as self-contained workflows with optional parameters.
Multi-step functions improve the Workflows experience in several key areas:
- Isolating complex operations with many steps.
- Enabling nested looping, replacing the need for multiple subsequent Loop blocks operating on the same piece of data.
- Eliminating the need to call a workflow from within another, therefore decreasing the number of billable workflow runs.
- Enabling builders to reuse blocks of code within a single workflow.
Existing users of functions can continue using their functions as normal. Functions that were created previous to this release are now treated as single-step functions.
Tags
Error reporting for Retool Workflows
Error reporting for workflows is currently in public beta on Retool Cloud and on Self-hosted Retool 3.196-edge or later. Error reporting for workflows is currently in on Self-hosted Retool 3.196.1-stable or later. Join the waitlist at https://workflowstools.retool.com/form/4e398a00-afa3-415b-8810-1c773a18afb7.
You can now connect your organization to Sentry and Datadog for workflow error monitoring and event logging.
To set up error reporting, go to the Settings and navigate to Configuration > Observability. Enter your Sentry and Datadog credentials to emit workflow errors and run events to either or both providers.
Connecting to external observability providers is especially useful for your organization if:
- You have a high volume of workflow runs that your organization would prefer to monitor systematically, outside of the workflows run panel UI.
- You use a cloud instance and you want to retain a record of workflow run events beyond the 90 day retention period.