Looker SQL Injection Vulnerability Allowing Data Exfiltration from Internal Database

A SQL injection vulnerability has been identified in Looker's endpoint for generating new projects from database connections. This issue allows users with developer permissions to manipulate SELECT queries executed against Looker's internal MySQL database. By specifying 'looker' as a connection name, attackers can exploit the schemas parameter to inject malicious SQL, potentially leading to unauthorized data extraction. While Looker-hosted instances have been mitigated, self-hosted instances remain vulnerable and must be upgraded as soon as possible.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where attackers can execute injected SQL queries against Looker's internal MySQL database. This exploitation could lead to systematic dumping of the entire internal database, exposing sensitive information.

Reproduction

To reproduce this vulnerability, a user with developer access must create a new LookML project and intercept the request to attach it to an internal connection named 'looker__ilooker'. By crafting a malicious test that includes a SQL injection payload, the injected SQL can be executed against the internal database. The results of the injection can be extracted from the database error messages, allowing for data exfiltration.

Remediation

Self-hosted Looker instances should be upgraded to version 24.12.106, 24.18.198+, 25.0.75, 25.6.63+, 25.8.45+, 25.10.33+, 25.12.1+ or 25.14.