Primary

Context

Looker Self-Hosted Remote Script Execution Vulnerability for Users with Viewer Permissions

Vulnerability

A vulnerability exists in Looker that allows an attacker with viewer permissions to create a malicious URL. When this URL is opened by a Looker admin, it executes a script supplied by the attacker. This issue is present in both Looker-hosted and self-hosted instances, but has been mitigated for Looker-hosted users. Self-hosted instances must be upgraded immediately to a patched version.

Impact

Exploitation of this vulnerability allows for remote execution of scripts supplied by an attacker, potentially leading to unauthorized actions or changes within the Looker instance.

Remediation

Self-hosted Looker instances should be upgraded to version 24.18.201+, 25.0.79+, 25.6.66+, 25.12.7+, 25.16.0+, 25.18.0+ or 25.20.0. Instructions for downloading these versions are available on the Looker download page.

Added: Nov 24, 2025, 10:17 AM

Updated: Nov 24, 2025, 10:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

7.7

relevance

1.2

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

7.7

relevance

1.2

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Looker Self-Hosted Remote Script Execution Vulnerability for Users with Viewer Permissions

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating