CVE-2025-12739
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-24
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| looker | looker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an attacker with viewer permissions in Looker to create a malicious URL that, when opened by a Looker admin, executes an attacker-supplied script. Exploitation requires at least one Looker extension installed on the instance. It affects both Looker-hosted and Self-hosted instances, but has been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary scripts in the context of a Looker admin user, potentially leading to unauthorized actions, data exposure, or compromise of the Looker environment. This could result in loss of control over the system or sensitive information.
What immediate steps should I take to mitigate this vulnerability?
For Looker-hosted instances, no user action is required as the issue has already been mitigated. For Self-hosted instances, you should upgrade to one of the patched versions as soon as possible. The patched versions are 24.18.201+, 25.0.79+, 25.6.66+, 25.12.7+, 25.16.0+, 25.18.0+, and 25.20.0+. These versions can be downloaded from the Looker download page at https://download.looker.com/.