CVE-2025-47424
📋 TL;DR
This vulnerability allows attackers to manipulate the HTTP Host header in self-hosted Retool instances when the BASE_DOMAIN environment variable is not configured. This can lead to various web-based attacks including cache poisoning, password reset poisoning, and business logic bypasses. Only self-hosted Retool deployments without BASE_DOMAIN configured are affected.
💻 Affected Systems
- Retool (self-hosted)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover via password reset poisoning, cache poisoning attacks affecting all users, or business logic bypass allowing unauthorized access to sensitive data.
Likely Case
Cache poisoning affecting user sessions, manipulation of password reset links, or business logic manipulation leading to unauthorized actions.
If Mitigated
Limited impact with proper network segmentation and monitoring; potential for reconnaissance but limited exploitation.
🎯 Exploit Status
Host header injection is a well-known attack vector with established exploitation techniques. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.196.0
Vendor Advisory: https://docs.retool.com/disclosures/cve-2025-47424
Restart Required: Yes
Instructions:
1. Update Retool to version 3.196.0 or later. 2. Set BASE_DOMAIN environment variable to your domain. 3. Restart Retool service.
🔧 Temporary Workarounds
Set BASE_DOMAIN Environment Variable
allConfigure BASE_DOMAIN environment variable to prevent host header manipulation
export BASE_DOMAIN=yourdomain.com
Web Server Host Validation
allConfigure web server (nginx/apache) to validate Host headers
# nginx example: server_name yourdomain.com;
# Apache example: UseCanonicalName On
🧯 If You Can't Patch
- Set BASE_DOMAIN environment variable immediately
- Implement network-level controls to restrict access to Retool instance
🔍 How to Verify
Check if Vulnerable:
Check if BASE_DOMAIN environment variable is not set and Retool version is below 3.196.0Check Version:
docker exec retool-container cat /app/package.json | grep versionVerify Fix Applied:
Verify Retool version is 3.196.0+ and BASE_DOMAIN is properly configured📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values in access logs
- Requests with manipulated Host headers
Network Indicators:
- HTTP requests with spoofed Host headers to Retool instance
SIEM Query:
source="retool-logs" AND (Host!="expected-domain.com" OR Host="*" OR Host="")