Overview
A significant security vulnerability, identified as CVE-2025-12739, has been discovered in Looker, affecting both Looker-hosted and self-hosted instances. This vulnerability allows an attacker with viewer permissions to potentially execute arbitrary code on the Looker instance by crafting a malicious URL. The attacker needs a Looker admin to open this URL, and for successful exploitation, at least one Looker extension needs to be installed on the instance. This poses a substantial risk to data security and system integrity.
Important: This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Technical Details
CVE-2025-12739 allows a low-privilege user (viewer) to potentially inject and execute arbitrary code. The attack vector involves crafting a malicious URL that, when accessed by a Looker administrator, triggers the execution of an attacker-supplied script. This is possible when at least one Looker extension is installed on the instance. The specific mechanism involves a weakness in how Looker processes URL parameters, leading to unintended code execution when a privileged user interacts with the crafted URL.
CVSS Analysis
Due to the specific nature of the vulnerability and the requirement for admin interaction, a CVSS score is currently unavailable (N/A). However, given the potential for remote code execution, the severity is considered high.
Possible Impact
Successful exploitation of CVE-2025-12739 could have severe consequences, including:
- Data Breach: An attacker could gain unauthorized access to sensitive data stored within the Looker instance.
- System Compromise: The attacker could potentially compromise the entire Looker server, leading to further malicious activities.
- Privilege Escalation: The attacker could elevate their privileges within the Looker system.
- Data Manipulation: The attacker could modify or delete critical data, disrupting business operations.
Mitigation and Patch Steps
For Self-Hosted Looker Instances: Immediate action is required. Upgrade your Looker instance to one of the patched versions listed below. This vulnerability has been patched in all supported versions of Self-hosted.
The following versions have been updated to protect against this vulnerability:
- 24.18.201+
- 25.0.79+
- 25.6.66+
- 25.12.7+
- 25.16.0+
- 25.18.0+
- 25.20.0+
You can download the latest patched versions from the official Looker download page: https://download.looker.com/
References
- CVE ID: CVE-2025-12739
- Google Cloud Security Bulletin: https://cloud.google.com/support/bulletins#gcp-2025-068
- Looker Download Page: https://download.looker.com/
Published: 2025-11-24T10:15:59.567
