PT-2025-47566 · Google · Looker
Sivanesh Ashok
+1
·
Published
2025-11-20
·
Updated
2025-11-20
·
CVE-2025-12414
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber |
Name of the Vulnerable Software and Affected Versions
Looker versions prior to 24.12.100
Looker versions prior to 24.18.193
Looker versions prior to 25.0.69
Looker versions prior to 25.6.57
Looker versions prior to 25.8.39
Looker versions prior to 25.10.22
Looker versions prior to 25.12.0
Description
An attacker could potentially take over a Looker account in instances configured with OIDC authentication. This is due to an issue with email address string normalization, specifically a punycode homograph attack. The issue affects both Looker-hosted and self-hosted instances. The vulnerability has been mitigated for Looker-hosted instances.
Recommendations
Upgrade self-hosted instances to version 24.12.100 or later.
Upgrade self-hosted instances to version 24.18.193 or later.
Upgrade self-hosted instances to version 25.0.69 or later.
Upgrade self-hosted instances to version 25.6.57 or later.
Upgrade self-hosted instances to version 25.8.39 or later.
Upgrade self-hosted instances to version 25.10.22 or later.
Upgrade self-hosted instances to version 25.12.0 or later.
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Looker