CVE-2025-47424 | THREATINT

Description

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

PUBLISHED Reserved 2025-05-07 | Published 2025-05-09 | Updated 2025-05-12 | Assigner mitre

HIGH: 7.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C

Problem types

CWE-348 Use of Less Trusted Source

Product status

Default status

unaffected

3.18.1 (custom)

affected

3.20.1 (custom)

affected

3.22.1 (custom)

affected

3.24.1 (custom)

affected

3.26.4 (custom)

affected

3.28.3 (custom)

affected

3.30.1 (custom)

affected

3.32.1 (custom)

affected

3.33.1-stable (custom)

affected

3.52.1-stable (custom)

affected

3.75.1-stable (custom)

affected

3.114.1-stable (custom)

affected

3.148.1-stable (custom)

affected

References

docs.retool.com/disclosures/cve-2025-47424

cve.org (CVE-2025-47424)

nvd.nist.gov (CVE-2025-47424)

Download JSON