CVE-2025-12741

Nov. 25, 2025, 10:16 p.m.

7.7
High

Description

A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+

Product(s) Impacted

Vendor Product Versions
Looker
  • Looker
  • 24.12.108, 24.18.200, 25.0.78, 25.6.65, 25.8.47, 25.12.10, 25.14

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a looker looker 24.12.108 / / / / / / /
a looker looker 24.18.200 / / / / / / /
a looker looker 25.0.78 / / / / / / /
a looker looker 25.6.65 / / / / / / /
a looker looker 25.8.47 / / / / / / /
a looker looker 25.12.10 / / / / / / /
a looker looker 25.14 / / / / / / /

References

https://cloud.google.com/support/bulletins#gcp-2025-052

Tags

CWE-20
f45cbf4e-4146-4068-b7e1-655ffc2c548c
2025-11-24
CVE-2025-12741

CVSS Score

7.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

    View Vector String

Timeline

Published: Nov. 24, 2025, 12:15 p.m.
Last Modified: Nov. 25, 2025, 10:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

f45cbf4e-4146-4068-b7e1-655ffc2c548c

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.