CVE-2025-47424 is a high-severity vulnerability affecting self-hosted versions of Retool prior to 3.196.0. Retool is a popular low-code platform used to build internal tools and dashboards by connecting to various data sources. The vulnerability arises from improper handling of the HTTP Host header when the BASE_DOMAIN environment variable is not configured. Specifically, this allows an attacker to perform Host header injection attacks. Host header injection occurs when an application uses the Host header value from incoming HTTP requests without proper validation or sanitization. In this case, if BASE_DOMAIN is unset, Retool trusts the Host header, which can be manipulated by an attacker. This can lead to several security issues, including cache poisoning, password reset poisoning, web cache deception, and potentially redirecting users to malicious sites. The CVSS 3.1 score of 7.1 reflects a high severity, with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), but requiring user interaction (UI:R). The impact includes high confidentiality and integrity loss, with low availability impact. The vulnerability is exploitable remotely but requires some user interaction, such as clicking a crafted link. No known exploits are currently reported in the wild. The affected versions span a wide range of Retool releases from 3.18.1 up to 3.148.1-stable, indicating a long-standing issue fixed only in versions 3.196.0 and later. This vulnerability is categorized under CWE-348, which relates to the use of less trusted sources, highlighting the risk of trusting user-controllable input without validation. Given Retool's role in internal tooling and data access, exploitation could allow attackers to manipulate application behavior, steal sensitive data, or conduct phishing attacks within organizations using vulnerable versions.

For European organizations, the impact of CVE-2025-47424 can be significant due to Retool's widespread adoption in enterprise environments for building internal dashboards and tools that interface with sensitive data sources. Successful exploitation could lead to unauthorized access to confidential business data, manipulation of internal workflows, and potential lateral movement within corporate networks. The confidentiality and integrity of data are at high risk, which could result in data breaches, compliance violations (e.g., GDPR), and reputational damage. Additionally, attackers could use Host header injection to craft phishing attacks that appear legitimate by leveraging trusted internal domains, increasing the risk of credential theft or malware deployment. The requirement for user interaction means social engineering could be a component of exploitation, which is a common attack vector in corporate environments. The low availability impact suggests service disruption is less likely, but the data integrity and confidentiality risks remain critical. Organizations relying on self-hosted Retool instances must consider this vulnerability a priority for remediation to maintain secure internal operations and protect sensitive information.

1. Immediate upgrade: Organizations should upgrade all self-hosted Retool instances to version 3.196.0 or later, where this vulnerability is patched. 2. Configure BASE_DOMAIN: Ensure the BASE_DOMAIN environment variable is explicitly set to the correct domain name to prevent Retool from trusting the Host header. 3. Implement strict input validation: If upgrading immediately is not possible, apply web application firewall (WAF) rules to detect and block suspicious or malformed Host headers targeting Retool endpoints. 4. Monitor logs: Enable detailed logging and monitor HTTP request headers for unusual Host header values that could indicate exploitation attempts. 5. User awareness: Educate users about phishing risks related to manipulated URLs that may arise from Host header injection attacks. 6. Network segmentation: Limit access to Retool instances to trusted internal networks or VPNs to reduce exposure to external attackers. 7. Incident response readiness: Prepare to respond to potential exploitation by having forensic and remediation procedures in place, including revoking compromised credentials and reviewing access logs. These measures combined will reduce the risk of exploitation and limit potential damage.