CVE-2025-12740 in Lookerinfo

Summary

by MITRE • 11/24/2025

A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters.

Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these.


Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 25.0.93+ * 25.6.84+

* 25.12.42+ * 25.14.50+ * 25.16.44+

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/24/2025

This vulnerability represents a critical command injection flaw in Looker's database connection handling mechanism that specifically affects users with Developer roles. The issue stems from insufficient input validation and parameter filtering within the IBM DB2 driver integration, allowing authenticated attackers to manipulate LookML code to execute arbitrary commands on the underlying system. The vulnerability exists in both Looker-hosted and self-hosted deployments, though the former has already been patched by the vendor without requiring user intervention. The technical exploitation occurs through the manipulation of database connection parameters that are not properly sanitized before being passed to the underlying database driver, creating a direct path for command injection attacks.

The flaw aligns with CWE-78, which specifically addresses improper neutralization of special elements used in OS commands, and CWE-94, covering improper control of generation of code. This vulnerability also maps to ATT&CK technique T1059.001, which involves executing malicious code through command and scripting interpreters, and T1021.004, which covers remote services through SMB/Windows Admin Shares. The attack vector requires a user with Developer privileges to create a database connection using the IBM DB2 driver, then leverage LookML manipulation to inject malicious commands that get executed by the system's command processor. This represents a significant privilege escalation risk as it allows developers to potentially execute arbitrary system commands with the privileges of the Looker service account.

The operational impact of this vulnerability is substantial, as it enables attackers to gain unauthorized access to the underlying database systems and potentially escalate privileges to compromise the entire Looker deployment. Self-hosted instances remain at risk until upgraded to patched versions, creating a window where malicious actors could exploit this weakness to extract sensitive data, modify database contents, or establish persistent access. The vulnerability affects the core database connectivity functionality of Looker, making it a critical target for exploitation. Organizations using self-hosted Looker deployments must urgently upgrade to versions 25.0.93 or higher, 25.6.84 or higher, 25.12.42 or higher, 25.14.50 or higher, or 25.16.44 or higher to remediate the issue. The patch addresses the root cause by implementing proper input sanitization and parameter validation for all database driver parameters, ensuring that user-supplied values cannot be interpreted as executable commands. This remediation approach follows security best practices for preventing command injection vulnerabilities by applying principle of least privilege and input validation controls.

Responsible

GoogleCloud

Reservation

11/05/2025

Disclosure

11/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00215

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!