CVE-2025-12742
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-25
Assigner: GoogleCloud
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| looker | looker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows a Looker user with a Developer role to cause Looker to execute a malicious command due to insecure processing of Teradata driver parameters. It affects both Looker-hosted and Self-hosted instances, but has already been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this issue.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow a Developer role user to execute malicious commands within Looker, potentially leading to unauthorized actions or compromise of the system. This could affect data integrity, confidentiality, and system stability, especially on Self-hosted instances that have not been updated.
What immediate steps should I take to mitigate this vulnerability?
For Looker-hosted instances, no user action is required as the issue has already been mitigated. For Self-hosted instances, you must upgrade to one of the patched versions as soon as possible. The patched versions are 24.12.108+, 24.18.200+, 25.0.78+, 25.6.65+, 25.8.47+, 25.12.10+, and 25.14+. You can download these versions from the Looker download page at https://download.looker.com/.