CVE-2025-12743
Description
The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database.
Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.106 * 24.18.198+ * 25.0.75 * 25.6.63+ * 25.8.45+ * 25.10.33+ * 25.12.1+ * 25.14+
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Looker's project creation endpoint allows developers to exploit SQL injection in the schemas parameter, extracting data from an internal MySQL database.
This vulnerability, CVE-2025-12743, resides in Looker's endpoint for generating new projects from database connections. The flaw allows a user with developer permissions to specify 'looker' as a connection name, which is a reserved internal name for Looker's own MySQL database. The schemas parameter in this endpoint is vulnerable to SQL injection, enabling manipulation of SELECT queries constructed and executed against that internal database [1].
An attacker with developer-level access can create a new LookML project and intercept the request to attach it to the internal connection (e.g., looker__ilooker). The exploit abuses the LookML tests feature; by crafting a malicious test containing a specially formatted SQL injection payload, the system is forced to execute the query against the internal database. This error-based SQL injection allows the results of the query to be returned within database error messages, enabling systematic exfiltration [2].
The impact allows attackers to extract sensitive data from Looker's internal MySQL database. This data could include configuration details, credentials, or other sensitive information stored by Looker itself [2]. The vulnerability affects both Looker-hosted and self-hosted instances [1].
Looker-hosted instances have already been mitigated, requiring no user action. Self-hosted instances must be upgraded to patched versions: 24.12.106, 24.18.198+, 25.0.75, 25.6.63+, 25.8.45+, 25.10.33+, 25.12.1+, or 25.14+. Patches are available on the Looker download page [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <24.12.106, <24.18.198, <25.0.75, <25.6.63, <25.8.45, <25.10.33, <25.12.1, <25.14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.