CVE-2025-12472
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-19

Last updated on: 2025-11-19

Assigner: GoogleCloud

Description
An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances.Β No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.103+ * 24.18.195+ * 25.0.72+ * 25.6.60+ * 25.8.42+ * 25.10.22+
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-19
Last Modified
2025-11-19
Generated
2026-06-16
AI Q&A
2025-11-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12472
EUVD
EUVD-2025-198153
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
looker looker *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker with a Looker Developer role to manipulate a LookML project and exploit a race condition during the deletion of a Git directory. This exploitation can lead to arbitrary command execution on the Looker instance, potentially compromising the system.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the Looker instance, which may lead to unauthorized access, data compromise, or disruption of services. Self-hosted instances are at risk unless upgraded to patched versions, while Looker-hosted instances have already been mitigated.

Mitigation Strategies

For Looker-hosted instances, no user action is required as the issue has already been mitigated. For Self-hosted instances, you should upgrade to one of the patched versions as soon as possible. The patched versions are 24.12.103+, 24.18.195+, 25.0.72+, 25.6.60+, 25.8.42+, and 25.10.22+. These versions can be downloaded from the Looker download page at https://download.looker.com/.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12472. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart