Vulnerability Description
A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 25.0.93+ * 25.6.84+ * 25.12.42+ * 25.14.50+ * 25.16.44+
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-12740?
CVE-2025-12740 is a documented vulnerability. A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the...
How severe is CVE-2025-12740?
CVSS scoring is not yet available for CVE-2025-12740. Check NVD for updates.
Is there a patch for CVE-2025-12740?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.