CVE-2025-12414
📋 TL;DR
An attacker can take over Looker accounts in instances configured with OIDC authentication due to email address string normalization issues. This affects both Looker-hosted (already mitigated) and self-hosted instances. Account takeover allows full access to the compromised user's Looker environment.
💻 Affected Systems
- Looker
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all Looker accounts, leading to data exfiltration, privilege escalation, and unauthorized access to business intelligence data.
Likely Case
Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive dashboards and data.
If Mitigated
No impact if patched or using Looker-hosted instances (already mitigated).
🎯 Exploit Status
Exploitation requires OIDC authentication configuration and knowledge of email normalization behavior.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.12.100+, 24.18.193+, 25.0.69+, 25.6.57+, 25.8.39+, 25.10.22+, 25.12.0+
Vendor Advisory: https://cloud.google.com/support/bulletins#GCP-2025-067
Restart Required: Yes
Instructions:
1. Download patched version from https://download.looker.com/ 2. Backup current instance 3. Install patched version 4. Restart Looker service
🔧 Temporary Workarounds
Disable OIDC Authentication
allTemporarily disable OIDC authentication until patching can be completed
Modify Looker configuration to use alternative authentication methods
🧯 If You Can't Patch
- Implement strict network access controls to limit Looker instance exposure
- Enable enhanced logging and monitoring for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check if using OIDC authentication and version is below patched releasesCheck Version:
Check Looker admin panel or configuration files for version informationVerify Fix Applied:
Verify Looker version matches patched releases and test OIDC authentication functionality📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login
- Unusual email normalization patterns in authentication logs
Network Indicators:
- Unusual authentication traffic patterns to OIDC endpoints
SIEM Query:
Authentication logs with email normalization anomalies or account takeover patterns