CVE-2025-12397
HIGHLooker Studio < 2025-07-21 - Authenticated SQL Injection via BigQuery Report View
Title source: llmDescription
A SQL injection vulnerability was found in Looker Studio. A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerability affected to reports with BigQuery as the data source. This vulnerability was patched on 21 July 2025, and no customer action is needed.
References (2)
Core 2
Core References
Various Sources
https://cloud.google.com/support/bulletins#gcp-2025-053
Third Party Advisory
https://www.tenable.com/security/research/tra-2025-28
Scores
CVSS v4
7.6
EPSS
0.0027
EPSS Percentile
18.6%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
Google Cloud/Looker Studio
< 2025-07-21
Published
Nov 10, 2025
Tracked Since
Feb 18, 2026