PT-2025-47896 · Google · Looker
Sivanesh Ashok
+1
·
Published
2025-11-24
·
Updated
2025-11-24
·
CVE-2025-12739
CVSS v4.0
7.3
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red |
Name of the Vulnerable Software and Affected Versions
Looker versions prior to 24.18.201
Looker versions prior to 25.0.79
Looker versions prior to 25.6.66
Looker versions prior to 25.12.7
Looker versions prior to 25.16.0
Looker versions prior to 25.18.0
Looker versions prior to 25.20.0
Description
An attacker with viewer permissions in Looker could create a malicious URL. When opened by a Looker administrator, this URL would execute an attacker-supplied script. Exploitation requires at least one Looker extension to be installed. This issue affects both Looker-hosted and self-hosted instances. The issue has been mitigated for Looker-hosted instances, requiring no user action.
Recommendations
Upgrade self-hosted instances to version 24.18.201 or later.
Upgrade self-hosted instances to version 25.0.79 or later.
Upgrade self-hosted instances to version 25.6.66 or later.
Upgrade self-hosted instances to version 25.12.7 or later.
Upgrade self-hosted instances to version 25.16.0 or later.
Upgrade self-hosted instances to version 25.18.0 or later.
Upgrade self-hosted instances to version 25.20.0 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Looker