CVE-2025-12743

Nov. 19, 2025, 7:14 p.m.

6.0
Medium

Description

The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.106 * 24.18.198+ * 25.0.75 * 25.6.63+ * 25.8.45+ * 25.10.33+ * 25.12.1+ * 25.14+

Product(s) Impacted

Vendor Product Versions
Looker
  • Looker
  • *, 24.12.106, 24.18.198, 25.0.75, 25.6.63, 25.8.45, 25.10.33, 25.12.1, 25.14

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a looker looker / / / / / / / /
a looker looker 24.12.106 / / / / / / /
a looker looker 24.18.198 / / / / / / /
a looker looker 25.0.75 / / / / / / /
a looker looker 25.6.63 / / / / / / /
a looker looker 25.8.45 / / / / / / /
a looker looker 25.10.33 / / / / / / /
a looker looker 25.12.1 / / / / / / /
a looker looker 25.14 / / / / / / /

References

https://cloud.google.com/support/bulletins#gcp-2025-052
https://www.tenable.com/security/research/tra-2025-43

Tags

CWE-89
f45cbf4e-4146-4068-b7e1-655ffc2c548c
2025-11-19
CVE-2025-12743

CVSS Score

6.0 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

    View Vector String

Timeline

Published: Nov. 19, 2025, 5:15 p.m.
Last Modified: Nov. 19, 2025, 7:14 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

f45cbf4e-4146-4068-b7e1-655ffc2c548c

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.