CVE-2025-12739
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-24

Assigner: GoogleCloud

Description
An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances.Β No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.18.201+ * 25.0.79+ * 25.6.66+ * 25.12.7+ * 25.16.0+ * 25.18.0+ * 25.20.0+
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-24
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12739
EUVD
EUVD-2025-198626
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
looker looker *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker with viewer permissions in Looker to create a malicious URL that, when opened by a Looker admin, executes an attacker-supplied script. Exploitation requires at least one Looker extension installed on the instance. It affects both Looker-hosted and Self-hosted instances, but has been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this vulnerability.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary scripts in the context of a Looker admin user, potentially leading to unauthorized actions, data exposure, or compromise of the Looker environment. This could result in loss of control over the system or sensitive information.

Mitigation Strategies

For Looker-hosted instances, no user action is required as the issue has already been mitigated. For Self-hosted instances, you should upgrade to one of the patched versions as soon as possible. The patched versions are 24.18.201+, 25.0.79+, 25.6.66+, 25.12.7+, 25.16.0+, 25.18.0+, and 25.20.0+. These versions can be downloaded from the Looker download page at https://download.looker.com/.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart