Cybersecurity Vulnerabilities

Critical Looker Security Update: CVE-2025-12472 Allows Arbitrary Command Execution

November 19, 2025 - By 

Overview

A critical security vulnerability, identified as CVE-2025-12472, has been discovered in Looker, affecting both Looker-hosted and self-hosted instances. This vulnerability allows an attacker with a Looker Developer role to manipulate a LookML project and exploit a race condition during Git directory deletion. Successful exploitation can lead to arbitrary command execution on the Looker instance.

The good news is that Looker-hosted instances have already been mitigated, requiring no user action. However, self-hosted instances are vulnerable and require immediate action.

Technical Details

CVE-2025-12472 stems from a race condition that can occur during the deletion of Git directories within a LookML project. An attacker possessing the Looker Developer role can manipulate the project in a way that exploits this race condition. By carefully timing actions, they can gain the ability to execute arbitrary commands with the privileges of the Looker instance. This is a significant risk, as it can allow for complete system compromise.

The root cause lies in the improper handling of concurrent processes during the Git directory deletion, leading to a window where malicious code can be injected and executed.

CVSS Analysis

At the time of this writing, the CVSS score and severity for CVE-2025-12472 are listed as N/A. However, given the potential for arbitrary command execution, this vulnerability should be considered critical for self-hosted Looker instances. We highly recommend patching immediately, regardless of the official CVSS score.

Possible Impact

The exploitation of CVE-2025-12472 can have severe consequences, including:

  • Complete System Compromise: Attackers can gain full control of the Looker instance.
  • Data Breach: Sensitive data stored or processed by Looker could be accessed and exfiltrated.
  • Denial of Service: Attackers could disrupt Looker services, preventing legitimate users from accessing the platform.
  • Lateral Movement: Compromised Looker instances could be used as a stepping stone to attack other systems within the network.

Mitigation and Patch Steps

For Looker-hosted instances: No action is required. This issue has already been mitigated.

For Self-hosted instances: Upgrade your Looker instance immediately.

The vulnerability has been patched in the following versions:

  • 24.12.103+
  • 24.18.195+
  • 25.0.72+
  • 25.6.60+
  • 25.8.42+
  • 25.10.22+

You can download the updated versions from the Looker download page:

Looker Download Page

After upgrading, it is recommended to review your Looker user permissions and ensure that only trusted users have the Looker Developer role.

References

Published: 2025-11-19T11:15:44.383

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *