CVE-2025-12409 | THREATINT

Description

A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's permissions in BigQuery. This vulnerability was patched on 07 July 2025, and no customer action is needed.

PUBLISHED Reserved 2025-10-28 | Published 2025-11-10 | Updated 2025-11-10 | Assigner GoogleCloud

HIGH: 7.3CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/U:Clear

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

Any version before 2025-07-07

affected

Credits

Liv Matan from Tenable. finder

References

cloud.google.com/support/bulletins

www.tenable.com/security/research/tra-2025-27

cve.org (CVE-2025-12409)

nvd.nist.gov (CVE-2025-12409)

Download JSON