CVE-2025-12155
BaseFortify
Publication date: 2025-11-10
Last updated on: 2025-11-12
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| looker | looker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Command Injection issue caused by improper file path sanitization (Directory Traversal) in Looker. It allows an attacker who has Developer permission to execute arbitrary shell commands on the host system when a user is deleted. This affects both Looker-hosted and Self-hosted instances, though the issue has been mitigated for Looker-hosted instances.
How can this vulnerability impact me? :
An attacker with Developer permission could exploit this vulnerability to execute arbitrary shell commands on the host system, potentially leading to unauthorized system access, data compromise, or disruption of services. This could result in significant security risks for affected Self-hosted Looker instances if not patched.
What immediate steps should I take to mitigate this vulnerability?
For Self-hosted Looker instances, immediately upgrade to one of the patched versions listed: 24.12.100+, 24.18.192+, 25.0.69+, 25.6.57+, 25.8.39+, or 25.10.22+. Looker-hosted instances have already been mitigated and require no user action.