{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-12155","assignerOrgId":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","state":"PUBLISHED","assignerShortName":"GoogleCloud","dateReserved":"2025-10-24T13:07:55.182Z","datePublished":"2025-11-10T08:49:45.811Z","dateUpdated":"2025-11-10T15:18:43.851Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Looker-hosted"],"product":"Looker","vendor":"Google Cloud","versions":[{"lessThan":"24.12.100","status":"affected","version":"0","versionType":"date"},{"lessThan":"24.18.192","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.0.69","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.6.57","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.8.39","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.10.22","status":"affected","version":"0","versionType":"date"}]},{"defaultStatus":"unaffected","platforms":["Self-hosted"],"product":"Looker","vendor":"Google Cloud","versions":[{"lessThan":"24.12.100","status":"affected","version":"0","versionType":"date"},{"lessThan":"24.18.192","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.0.69","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.6.57","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.8.39","status":"affected","version":"0","versionType":"date"},{"lessThan":"25.10.22","status":"affected","version":"0","versionType":"date"}]}],"credits":[{"lang":"en","type":"finder","value":"Tomas Lažauninkas"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.</span><br><br><span style=\"background-color: rgb(252, 252, 252);\">Looker-hosted and Self-hosted were found to be vulnerable.<br>This issue has already been mitigated for Looker-hosted&nbsp;instances. No user action is required for these.<br><br><span style=\"background-color: rgb(252, 252, 252);\">Self-hosted instances must be upgraded <span style=\"background-color: rgb(252, 252, 252);\">as soon as possible</span>. This vulnerability has been patched in all supported versions of Self-hosted.</span><br><span style=\"background-color: rgb(252, 252, 252);\">The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://download.looker.com/\">https://download.looker.com/</a><span style=\"background-color: rgb(252, 252, 252);\">:</span><br><ul><li><span style=\"background-color: rgb(252, 252, 252);\">24.12.100+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">24.18.192+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.0.69+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.6.57+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.8.39+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.10.22+</span></li></ul></span>"}],"value":"A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.\n\nLooker-hosted and Self-hosted were found to be vulnerable.\nThis issue has already been mitigated for Looker-hosted instances. No user action is required for these.\n\nSelf-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.\nThe versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page  https://download.looker.com/ :\n  *  24.12.100+\n  *  24.18.192+\n  *  25.0.69+\n  *  25.6.57+\n  *  25.8.39+\n  *  25.10.22+"}],"impacts":[{"capecId":"CAPEC-126","descriptions":[{"lang":"en","value":"CAPEC-126 Path Traversal"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"NOT_DEFINED","Safety":"PRESENT","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":7.1,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:P/AU:Y/U:Red","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-77","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","shortName":"GoogleCloud","dateUpdated":"2025-11-10T08:49:45.811Z"},"references":[{"url":"https://cloud.google.com/support/bulletins#gcp-2025-052"}],"source":{"discovery":"UNKNOWN"},"title":"Command Injection in Looker","x_generator":{"engine":"Vulnogram 0.4.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-10T15:17:21.647576Z","id":"CVE-2025-12155","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-10T15:18:43.851Z"}}]}}