CVE-2025-12409
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GoogleCloud

Description
A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's permissions in BigQuery. This vulnerability was patched on 07 July 2025, and no customer action is needed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12409
EUVD
EUVD-2025-44038
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
google looker_studio *
google bigquery *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a high-severity SQL injection flaw in Google Cloud's Looker Studio affecting BigQuery data sources. An attacker creates a malicious Looker Studio report with native functions enabled and injects specially crafted SQL code into calculated fields. When a victim with access to the report opens or interacts with it, the injected SQL executes with the victim's BigQuery permissions, allowing the attacker to extract data from the victim's BigQuery datasets. The attack uses a blind, cross-tenant SQL injection technique that exfiltrates data character-by-character into attacker-controlled public BigQuery tables. This happens without requiring further user interaction beyond accessing the malicious report or a website embedding it. [1]

Impact Analysis

This vulnerability can lead to unauthorized data exfiltration from your BigQuery datasets if you access a malicious Looker Studio report crafted by an attacker. The attacker can execute arbitrary SQL queries with your permissions, potentially exposing sensitive data stored in your BigQuery environment. This can result in data breaches, loss of confidentiality, and exposure of private or proprietary information without your knowledge. [1]

Detection Guidance

Detection involves monitoring for unusual Looker Studio reports with native functions enabled and suspicious SQL queries targeting BigQuery datasets. Specifically, look for reports containing calculated fields with SQL comments (e.g., /**/SELECT) or queries referencing attacker-controlled exfiltration tables named like exfilA, exfilB, etc. Network or log analysis should focus on BigQuery query logs for blind SQL injection patterns and unexpected data access. There are no specific commands provided in the resources. [1]

Mitigation Strategies

Immediate mitigation involves ensuring that your Looker Studio environment is updated with the patch deployed by Google by August 2025, which prevents exploitation via this method. Since the vulnerability has been remediated in production, no customer action is needed. Additionally, avoid enabling native functions in Looker Studio reports unless absolutely necessary and monitor sharing permissions to prevent unauthorized report access. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12409. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart