Primary

Context

Looker Race Condition Vulnerability in Git Directory Deletion Leading to Arbitrary Command Execution

Vulnerability

A race condition vulnerability has been identified in Looker that allows an attacker with a Developer role to manipulate a LookML project. This exploitation occurs during the deletion of Git directories, potentially leading to arbitrary command execution on the affected Looker instance. Both Looker-hosted and self-hosted versions were found to be vulnerable, although the issue has been mitigated for Looker-hosted instances. Self-hosted users must upgrade to a patched version as soon as possible.

Impact

Exploitation of this vulnerability could result in unauthorized arbitrary command execution on the Looker instance.

Remediation

Self-hosted Looker instances should be upgraded to version 24.12.103+, 24.18.195+, 25.0.72+, 25.6.60+, 25.8.42+ or 25.10.22. Instructions for downloading these versions are available on the Looker download page.

Added: Nov 19, 2025, 11:20 AM

Updated: Nov 19, 2025, 8:02 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.8

remediation

7.7

relevance

1.1

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.8

remediation

7.7

relevance

1.1

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Looker Race Condition Vulnerability in Git Directory Deletion Leading to Arbitrary Command Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating