CVE-2025-47424

High

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host…

mitre·CWE-348·Published 2025-05-09

CVSS

7.1

EPSS

0.00

KEV

Exploits

cve.orgen

160 chars

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

NVDen

160 chars

Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.

Retool (autoalojado) anterior a la versión 3.196.0 permite la inyección de encabezados de host. Si la variable de entorno BASE_DOMAIN no está configurada, se puede manipular el encabezado HTTP de host.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	7.1	—	—	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C
3.1	Primary	cve.org	7.1	—	—	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C
3.1	Secondary	NVD	7.1	1.6	5.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L