CVE-2025-12414
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12414, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-20

Last updated on: 2025-11-20

Assigner: GoogleCloud

Description

An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.193+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ * 25.12.0+

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-20
Last Modified
2025-11-20
Generated
2026-07-06
AI Q&A
2025-11-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
looker looker *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker to take over a Looker account in a Looker instance that is configured with OIDC authentication. The issue arises due to email address string normalization, which can be exploited to gain unauthorized access. Both Looker-hosted and Self-hosted instances were vulnerable, but the issue has already been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this vulnerability.

Impact Analysis

If exploited, this vulnerability could allow an attacker to take over user accounts in a Looker instance, potentially gaining unauthorized access to sensitive data and functionalities within the platform. This could lead to data breaches, unauthorized data manipulation, and loss of control over the Looker environment.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade your Self-hosted Looker instance to one of the patched versions listed: 24.12.100+, 24.18.193+, 25.0.69+, 25.6.57+, 25.8.39+, 25.10.22+, or 25.12.0+. Looker-hosted instances have already been mitigated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart