MEDIUMCVE-2025-12405

CVE-2025-12405: SQL Injection in Looker Studio

Platform

other

Component

looker-studio

Fixed in

2025-07-21

AI Confidence: high

NVD

EPSS 0.1%

Reviewed: May 2026

View on NVD

Save

CVE-2025-12405 describes an improper privilege management vulnerability discovered in Looker Studio. This flaw allows a user with report view access to potentially execute arbitrary SQL against the underlying data source database by copying a report and leveraging stored credentials. The vulnerability impacts all JDBC-based connectors within Looker Studio and was resolved on July 21, 2025.

Impact and Attack Scenarios

The primary impact of CVE-2025-12405 is the potential for unauthorized data access and manipulation within the data source database. An attacker could craft a malicious report copy and execute SQL queries to extract sensitive information, modify existing data, or even delete records. The scope of the attack is limited to the data accessible through the JDBC connector and the permissions granted to the Looker Studio user. Successful exploitation could lead to data breaches, compliance violations, and disruption of business operations. While the vulnerability requires report view access, the potential for data exfiltration makes it a significant concern.

Exploitation Context

CVE-2025-12405 was publicly disclosed on November 10, 2025. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept code is not currently available, but the nature of the vulnerability (SQL injection) suggests that it could be relatively easy to exploit once a suitable POC is developed.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.07% (22% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

Affected Software

Componentlooker-studio

VendorGoogle Cloud

Affected rangeFixed in

0 – 2025-07-212025-07-21

Weakness Classification (CWE)

CWE-269

Timeline

Reserved2025-10-28
Published2025-11-10
EPSS updated2026-03-23

Mitigation and Workarounds

The vulnerability was patched on July 21, 2025, so upgrading to version 2025-07-21 or later is the primary mitigation. Since no customer action is explicitly required according to the vendor, it's likely that the patch is automatically applied. However, it's recommended to verify the Looker Studio version to ensure it's updated. Reviewing report access permissions and limiting access to only necessary users can further reduce the attack surface. Consider implementing data masking or row-level security within the data source database to restrict the data accessible even if SQL injection is successful.

How to fix

Google has patched this vulnerability. No user action is required.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-12405 — SQL Injection in Looker Studio?

CVE-2025-12405 is a vulnerability in Looker Studio where a report viewer can execute arbitrary SQL on the data source database due to stored credentials. It affects JDBC-based connectors.

Am I affected by CVE-2025-12405 in Looker Studio?

If you use Looker Studio with JDBC-based connectors and are running a version prior to 2025-07-21, you may be affected. However, the vendor states no customer action is needed.

How do I fix CVE-2025-12405 in Looker Studio?

Upgrade to version 2025-07-21 or later to address the vulnerability. Verify the version to ensure the patch has been applied.

Is CVE-2025-12405 being actively exploited?

There is currently no public information indicating active exploitation of CVE-2025-12405.

Where can I find the official Looker Studio advisory for CVE-2025-12405?

Refer to the official Looker Studio security advisory for details on CVE-2025-12405 and related information.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs