CVE-2025-12743

MEDIUM

Google Cloud Looker SQL Injection via Schemas Parameter

Title source: llm

Description

The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.106 * 24.18.198+ * 25.0.75 * 25.6.63+ * 25.8.45+ * 25.10.33+ * 25.12.1+ * 25.14+

References (2)

Core 2

Core References

Various Sources

https://cloud.google.com/support/bulletins#gcp-2025-052

Third Party Advisory

https://www.tenable.com/security/research/tra-2025-43

Scores

CVSS v4 6.0

EPSS 0.0024

EPSS Percentile 15.0%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (8)

Google Cloud/Looker < 24.12.106

Google Cloud/Looker < 24.18.198

Google Cloud/Looker < 25.0.75

Google Cloud/Looker < 25.10.33

Google Cloud/Looker < 25.12.1

Google Cloud/Looker < 25.14

Google Cloud/Looker < 25.6.63

Google Cloud/Looker < 25.8.45

Published Nov 19, 2025

Tracked Since Feb 18, 2026