PT-2025-47476 · Google · Looker

Liv Matan

+1

·

Published

2025-11-19

·

Updated

2026-02-04

·

CVE-2025-12743

CVSS v4.0

6.0

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Name of the Vulnerable Software and Affected Versions Looker versions prior to 24.12.106 Looker versions 24.12.106 through 24.18.198 Looker versions prior to 25.0.75 Looker versions 25.0.75 through 25.6.63 Looker versions prior to 25.6.63 Looker versions 25.6.63 through 25.8.45 Looker versions prior to 25.8.45 Looker versions 25.8.45 through 25.10.33 Looker versions prior to 25.10.33 Looker versions 25.10.33 through 25.12.1 Looker versions prior to 25.12.1 Looker versions 25.12.1 through 25.14 Looker versions prior to 25.14
Description The Looker endpoint used for creating new projects from database connections allows specification of "looker" as a connection name, which is a reserved name for Looker’s internal MySQL database. The schemas parameter is susceptible to SQL injection, allowing manipulation of SELECT queries executed against the internal MySQL database. This allows users with developer permissions to extract data from Looker’s internal MySQL database. The API endpoint involved is the project generation endpoint. The vulnerable parameter is schemas.
Recommendations Versions prior to 24.12.106 must be upgraded. Versions 24.12.106 through 24.18.198 must be upgraded. Versions prior to 25.0.75 must be upgraded. Versions 25.0.75 through 25.6.63 must be upgraded. Versions prior to 25.6.63 must be upgraded. Versions 25.6.63 through 25.8.45 must be upgraded. Versions prior to 25.8.45 must be upgraded. Versions 25.8.45 through 25.10.33 must be upgraded. Versions prior to 25.10.33 must be upgraded. Versions 25.10.33 through 25.12.1 must be upgraded. Versions prior to 25.12.1 must be upgraded. Versions 25.12.1 through 25.14 must be upgraded.

Fix

SQL injection

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-12743

Affected Products

Looker