PT-2025-45605 · Google · Looker
Tomas Lažauninkas
·
Published
2025-11-10
·
Updated
2025-11-12
·
CVE-2025-12155
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:Red |
Name of the Vulnerable Software and Affected Versions
Looker versions 24.12.100 and later
Looker versions 24.18.192 and later
Looker versions 25.0.69 and later
Looker versions 25.6.57 and later
Looker versions 25.8.39 and later
Looker versions 25.10.22 and later
Description
The software contains a Command Injection issue stemming from inadequate file path sanitization, also known as Directory Traversal. An attacker possessing Developer permission can execute arbitrary shell commands when a user is deleted on the host system. This affects both Looker-hosted and Self-hosted instances. Looker-hosted instances have already been mitigated, requiring no user action. The issue is related to improper handling of file paths during user deletion, potentially allowing an attacker to traverse directories and execute commands on the underlying system. The vulnerability is triggered when a user with Developer permissions initiates a user deletion process.
Recommendations
Upgrade to Looker version 24.12.100 or later.
Upgrade to Looker version 24.18.192 or later.
Upgrade to Looker version 25.0.69 or later.
Upgrade to Looker version 25.6.57 or later.
Upgrade to Looker version 25.8.39 or later.
Upgrade to Looker version 25.10.22 or later.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Looker