CVE-2025-12739 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting Google Cloud Looker, a business intelligence and data analytics platform. The flaw arises from improper neutralization of input during web page generation, allowing an attacker with viewer-level permissions to craft a malicious URL. When this URL is opened by a Looker administrator, it executes attacker-supplied scripts within the admin's browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed with admin privileges. Exploitation requires that at least one Looker extension is installed on the instance, which increases the attack surface by enabling injection points. Both Looker-hosted and self-hosted deployments were vulnerable; however, Google has already mitigated the issue in Looker-hosted environments, requiring no user action. Self-hosted instances remain at risk unless upgraded to patched versions starting from 24.18.201 and above. The vulnerability has a CVSS 4.0 base score of 7.3, indicating high severity due to network attack vector, low attack complexity, partial privileges required, and user interaction needed. The impact on confidentiality, integrity, and availability is high because an attacker can execute arbitrary scripts in an admin context, potentially compromising sensitive data and administrative controls. No known exploits have been reported in the wild, but the presence of extensions and viewer permissions makes targeted attacks feasible. Organizations should verify their Looker deployment type and version, assess installed extensions, and apply updates promptly to mitigate risk.

For European organizations, this vulnerability poses a significant risk especially to those using self-hosted Looker instances with extensions installed. Successful exploitation could allow attackers to execute arbitrary scripts in the context of Looker administrators, leading to potential data breaches, unauthorized data manipulation, and disruption of analytics operations. Given Looker's role in business intelligence, compromised admin accounts could expose sensitive corporate data, including financial, operational, and customer information. The requirement for viewer-level access to craft the malicious URL means insider threats or compromised low-privilege accounts could escalate attacks. The need for an admin to open the malicious URL implies some user interaction, but targeted phishing or social engineering campaigns could facilitate this. The impact on confidentiality, integrity, and availability is high, potentially affecting compliance with GDPR and other data protection regulations in Europe. Organizations relying on Looker for critical decision-making and reporting could face operational disruptions and reputational damage if exploited.

European organizations should immediately identify whether they operate self-hosted Looker instances and verify the installed version. If running vulnerable versions prior to 24.18.201 or the listed patched releases, they must prioritize upgrading to the latest patched versions available from the official Looker download page. Additionally, organizations should audit installed Looker extensions and disable any unnecessary or untrusted extensions to reduce the attack surface. Implement strict access controls and monitor viewer-level accounts for suspicious activity, as these accounts can be leveraged to craft malicious URLs. Educate Looker administrators about the risk of opening untrusted URLs, especially those received via email or messaging platforms. Employ web filtering and email security solutions to detect and block phishing attempts that might deliver malicious URLs. Finally, consider implementing Content Security Policy (CSP) headers and other browser-based mitigations to limit the impact of potential XSS attacks within the Looker environment.