CVE-2025-12409
BaseFortify
Publication date: 2025-11-10
Last updated on: 2025-11-12
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| looker_studio | * | |
| bigquery | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a high-severity SQL injection flaw in Google Cloud's Looker Studio affecting BigQuery data sources. An attacker creates a malicious Looker Studio report with native functions enabled and injects specially crafted SQL code into calculated fields. When a victim with access to the report opens or interacts with it, the injected SQL executes with the victim's BigQuery permissions, allowing the attacker to extract data from the victim's BigQuery datasets. The attack uses a blind, cross-tenant SQL injection technique that exfiltrates data character-by-character into attacker-controlled public BigQuery tables. This happens without requiring further user interaction beyond accessing the malicious report or a website embedding it. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data exfiltration from your BigQuery datasets if you access a malicious Looker Studio report crafted by an attacker. The attacker can execute arbitrary SQL queries with your permissions, potentially exposing sensitive data stored in your BigQuery environment. This can result in data breaches, loss of confidentiality, and exposure of private or proprietary information without your knowledge. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unusual Looker Studio reports with native functions enabled and suspicious SQL queries targeting BigQuery datasets. Specifically, look for reports containing calculated fields with SQL comments (e.g., /**/SELECT) or queries referencing attacker-controlled exfiltration tables named like exfilA, exfilB, etc. Network or log analysis should focus on BigQuery query logs for blind SQL injection patterns and unexpected data access. There are no specific commands provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that your Looker Studio environment is updated with the patch deployed by Google by August 2025, which prevents exploitation via this method. Since the vulnerability has been remediated in production, no customer action is needed. Additionally, avoid enabling native functions in Looker Studio reports unless absolutely necessary and monitor sharing permissions to prevent unauthorized report access. [1]