SQL Injection Vulnerability in Looker Studio by Google
CVE-2025-12409

7.3HIGH

Key Information:

Vendor: Google Cloud
Status: Looker Studio
Vendor: CVE Published:; 10 November 2025

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2025-12409?

A SQL injection vulnerability impacting Looker Studio enables attackers to execute unauthorized SQL queries against BigQuery data sources. This can result in data exfiltration when a user accesses a malicious report with native functions activated, allowing the execution of injected queries under the victim's permissions. Google has patched this vulnerability as of July 7, 2025, and no action is needed from customers.

Affected Version(s)

Looker Studio 0 < 2025-07-07

References

https://cloud.google.com/support/bulletins#gcp-2025-053

https://www.tenable.com/security/research/tra-2025-27

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

Liv Matan

JSON