CVE-2025-12742

25.11.2025, 06:15

A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters.

Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances.No user action is required for these.


Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page  https://download.looker.com/ :
  *  24.12.108+
  *  24.18.200+
  *  25.0.78+
  *  25.6.65+
  *  25.8.47+
  *  25.12.10+
  *  25.14+

OS Command Injection

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GoogleCloud	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://cloud.google.com/support/bulletins#gcp-2025-052