Primary

Context

Looker Command Injection Vulnerability via Improper File Path Sanitization

Vulnerability

A command injection vulnerability has been identified in Looker, both in Looker-hosted and self-hosted instances. This vulnerability arises from improper file path sanitization, allowing an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system. While Looker-hosted instances have been mitigated, self-hosted instances must be upgraded as soon as possible. The vulnerability has been patched in all supported versions of self-hosted Looker.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system.

Remediation

Self-hosted Looker instances should be upgraded to version 24.12.100+, 24.18.192+, 25.0.69+, 25.6.57+, 25.8.39+ or 25.10.22. Instructions for downloading these versions are available on the Looker download page.

Added: Nov 10, 2025, 9:21 AM

Updated: Nov 10, 2025, 9:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.9

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.9

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Looker Command Injection Vulnerability via Improper File Path Sanitization

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating