PT-2025-47898 · Denodo+1 · Denodo Driver+1

Ryotak

·

Published

2025-11-24

·

Updated

2025-11-24

·

CVE-2025-12741

CVSS v4.0

7.7

High

VectorAV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red
Name of the Vulnerable Software and Affected Versions Looker versions prior to 24.12.108 Looker versions prior to 24.18.200 Looker versions prior to 25.0.78 Looker versions prior to 25.6.65 Looker versions prior to 25.8.47 Looker versions prior to 25.12.10 Looker versions prior to 25.14
Description A user with Developer role can create a database connection using the Denodo driver and manipulate LookML to cause Looker to execute a malicious command. This issue affects both Looker-hosted and self-hosted instances. The issue has been mitigated for Looker-hosted instances, requiring no user action.
Recommendations Upgrade self-hosted instances to version 24.12.108 or later. Upgrade self-hosted instances to version 24.18.200 or later. Upgrade self-hosted instances to version 25.0.78 or later. Upgrade self-hosted instances to version 25.6.65 or later. Upgrade self-hosted instances to version 25.8.47 or later. Upgrade self-hosted instances to version 25.12.10 or later. Upgrade self-hosted instances to version 25.14 or later.

Fix

RCE

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2025-12741

Affected Products

Denodo Driver
Looker