CVE-2025-12397 | THREATINT

Description

A SQL injection vulnerability was found in Looker Studio. A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerability affected to reports with BigQuery as the data source. This vulnerability was patched on 21 July 2025, and no customer action is needed.

PUBLISHED Reserved 2025-10-28 | Published 2025-11-10 | Updated 2025-11-10 | Assigner GoogleCloud

HIGH: 7.6CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/U:Clear

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

Any version before 2025-07-21

affected

Credits

Liv Matan from Tenable. finder

References

cloud.google.com/support/bulletins

www.tenable.com/security/research/tra-2025-28

cve.org (CVE-2025-12397)

nvd.nist.gov (CVE-2025-12397)

Download JSON