CVE-2025-12414
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-20

Last updated on: 2025-11-20

Assigner: GoogleCloud

Description
An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.193+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ * 25.12.0+
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-20
Last Modified
2025-11-20
Generated
2026-06-16
AI Q&A
2025-11-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12414
EUVD
EUVD-2025-198285
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
looker looker *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker to take over a Looker account in a Looker instance that is configured with OIDC authentication. The issue arises due to email address string normalization, which can be exploited to gain unauthorized access. Both Looker-hosted and Self-hosted instances were vulnerable, but the issue has already been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this vulnerability.

Impact Analysis

If exploited, this vulnerability could allow an attacker to take over user accounts in a Looker instance, potentially gaining unauthorized access to sensitive data and functionalities within the platform. This could lead to data breaches, unauthorized data manipulation, and loss of control over the Looker environment.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade your Self-hosted Looker instance to one of the patched versions listed: 24.12.100+, 24.18.193+, 25.0.69+, 25.6.57+, 25.8.39+, 25.10.22+, or 25.12.0+. Looker-hosted instances have already been mitigated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart