CVE-2025-12155

10.11.2025, 09:15

A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.

Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hostedinstances. No user action is required for these.

Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page  https://download.looker.com/ :
  *  24.12.100+
  *  24.18.192+
  *  25.0.69+
  *  25.6.57+
  *  25.8.39+
  *  25.10.22+

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
GoogleCloud	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://cloud.google.com/support/bulletins#gcp-2025-052