CVE-2025-12741 in Lookerinfo

Summary

by MITRE • 11/24/2025

A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command.

Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these.


Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/24/2025

This vulnerability represents a critical command execution flaw in the Looker platform that allows users with Developer roles to escalate their privileges through database connection manipulation. The issue specifically leverages the Denodo database driver integration within Looker's architecture, creating a pathway for malicious command injection attacks that can be initiated through carefully crafted LookML code. The vulnerability affects both Looker-hosted and self-hosted deployments, though the former has already received automatic patches while the latter requires manual intervention. The security implications are significant as this flaw enables arbitrary code execution on the Looker server, potentially allowing attackers to gain full control over the platform's underlying infrastructure and access to all connected data sources.

The technical exploitation occurs through a combination of privilege escalation and input validation failures within Looker's connection handling mechanisms. When a Developer role user creates a database connection using the Denodo driver, the system fails to properly sanitize user-supplied parameters that are subsequently processed within the LookML context. This vulnerability maps directly to CWE-78, which describes improper neutralization of special elements used in OS commands, and CWE-94, covering improper control of generation of code. The flaw exists in the platform's interpretation of LookML code that references database connections, where user-controllable input is not properly validated or escaped before being passed to underlying system commands. Attackers can manipulate the LookML to inject malicious commands that execute with the privileges of the Looker service account, potentially leading to complete system compromise.

The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential data breaches, system compromise, and unauthorized access to sensitive information. Self-hosted deployments remain particularly vulnerable as they require manual patching, creating extended windows of exposure for organizations that have not yet upgraded their systems. The attack vector requires minimal privileges but can result in maximum impact, making it particularly dangerous for environments where multiple users have Developer access. Organizations using Looker for business intelligence and data analytics are at risk of having their analytical platforms become attack vectors for broader network infiltration, especially in cases where Looker servers have access to critical databases or enterprise systems. This vulnerability also aligns with ATT&CK technique T1059, which covers command and scripting interpreter, and T1078, covering valid accounts, as it leverages legitimate user roles to execute malicious commands.

Organizations utilizing self-hosted Looker instances must prioritize immediate upgrade to one of the patched versions listed in the advisory to mitigate this vulnerability. The affected versions include specific release numbers across multiple version streams, ensuring that administrators can identify their current status and plan appropriate upgrade paths. The recommended versions provide patches that address the input validation issues in the Denodo driver integration and implement proper sanitization of user-supplied parameters before they are processed within the LookML context. Given the nature of the vulnerability and the potential for exploitation, organizations should also conduct immediate security assessments of their Looker deployments, review user access controls, and implement monitoring for unusual database connection patterns or LookML modifications that could indicate attempted exploitation. The patching process should be prioritized in environments where Developer roles are granted to users who may not require such elevated privileges, as this reduces the attack surface for potential exploitation.

Responsible

GoogleCloud

Reservation

11/05/2025

Disclosure

11/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00215

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!