CVE-2025-12742
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-25

Last updated on: 2025-11-25

Assigner: GoogleCloud

Description
A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances.Β No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-25
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-11-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12742
EUVD
EUVD-2025-199551
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
looker looker *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows a Looker user with a Developer role to cause Looker to execute a malicious command due to insecure processing of Teradata driver parameters. It affects both Looker-hosted and Self-hosted instances, but has already been mitigated for Looker-hosted instances. Self-hosted instances need to be upgraded to patched versions to protect against this issue.

Impact Analysis

If exploited, this vulnerability could allow a Developer role user to execute malicious commands within Looker, potentially leading to unauthorized actions or compromise of the system. This could affect data integrity, confidentiality, and system stability, especially on Self-hosted instances that have not been updated.

Mitigation Strategies

For Looker-hosted instances, no user action is required as the issue has already been mitigated. For Self-hosted instances, you must upgrade to one of the patched versions as soon as possible. The patched versions are 24.12.108+, 24.18.200+, 25.0.78+, 25.6.65+, 25.8.47+, 25.12.10+, and 25.14+. You can download these versions from the Looker download page at https://download.looker.com/.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12742. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart