CVE-2025-12414
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-20
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| looker | looker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an attacker to take over a Looker account in a Looker instance that is configured with OIDC authentication. The issue arises due to email address string normalization, which can be exploited to gain unauthorized access. Both Looker-hosted and Self-hosted instances were vulnerable, but the issue has already been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to take over user accounts in a Looker instance, potentially gaining unauthorized access to sensitive data and functionalities within the platform. This could lead to data breaches, unauthorized data manipulation, and loss of control over the Looker environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade your Self-hosted Looker instance to one of the patched versions listed: 24.12.100+, 24.18.193+, 25.0.69+, 25.6.57+, 25.8.39+, 25.10.22+, or 25.12.0+. Looker-hosted instances have already been mitigated.