Vulnerability Description
A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-12741?
CVE-2025-12741 is a documented vulnerability. A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were f...
How severe is CVE-2025-12741?
CVSS scoring is not yet available for CVE-2025-12741. Check NVD for updates.
Is there a patch for CVE-2025-12741?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.