Overview
A critical security vulnerability, identified as CVE-2025-12740, has been discovered in Looker. This vulnerability affects both Looker-hosted and self-hosted instances. A user with Developer role could leverage this vulnerability to execute malicious commands.
The good news is that Looker-hosted instances have already been automatically mitigated. However, users of self-hosted Looker instances must take immediate action to upgrade their systems to the patched versions.
Technical Details
CVE-2025-12740 stems from inadequate filtering of parameters within the IBM DB2 driver when creating a database connection. A Looker user with a Developer role could craft malicious LookML, exploiting this lack of filtering to cause Looker to execute arbitrary commands on the underlying system.
The vulnerability specifically allows a malicious user to manipulate the parameters sent to the IBM DB2 driver during database connection setup. Because of insufficient validation, these manipulated parameters can inject commands that the system will then execute.
CVSS Analysis
While a CVSS score is currently unavailable (N/A), the potential for arbitrary command execution elevates the severity of this vulnerability. Without a formal CVSS score, it’s imperative to treat this issue with high priority and implement the necessary mitigations as quickly as possible.
Possible Impact
Successful exploitation of CVE-2025-12740 could lead to a range of severe consequences, including:
- Data Breach: Unauthorized access to sensitive data stored within the Looker instance and the connected databases.
- System Compromise: Full control of the Looker server, allowing an attacker to install malware, modify system configurations, or launch further attacks on the internal network.
- Denial of Service: Disrupting the availability of the Looker service for legitimate users.
- Lateral Movement: Using the compromised Looker server as a stepping stone to access other systems within the network.
Mitigation and Patch Steps
The primary mitigation for CVE-2025-12740 is to upgrade your self-hosted Looker instance to one of the patched versions. The following versions include the fix:
- 25.0.93+
- 25.6.84+
- 25.12.42+
- 25.14.50+
- 25.16.44+
Important: Visit the official Looker download page to obtain the latest patched version for your environment:
Immediate Actions for Self-Hosted Instances:
- Backup: Before upgrading, create a full backup of your Looker instance, including the database and configuration files.
- Download: Download the appropriate patched version from the Looker download page.
- Upgrade: Follow the official Looker upgrade documentation to perform the upgrade process.
- Verification: After the upgrade, thoroughly test your Looker instance to ensure it is functioning correctly.
References
Published: 2025-11-24T12:15:45.127
