Search criteria
2 vulnerabilities found for Community Edition by neo4j
CVE-2025-11602 (GCVE-0-2025-11602)
Vulnerability from cvelistv5 – Published: 2025-10-31 10:20 – Updated: 2025-10-31 11:37
VLAI?
Summary
Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.
Severity ?
CWE
- CWE-226 - Sensitive Information in Resource Not Removed Before Reuse
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| neo4j | Enterprise Edition |
Affected:
5.26.0 , < 5.26.15
(semver)
Affected: 2025.1.0 , < 2025.10.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T11:36:06.456339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:37:44.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise Edition",
"vendor": "neo4j",
"versions": [
{
"lessThan": "5.26.15",
"status": "affected",
"version": "5.26.0",
"versionType": "semver"
},
{
"lessThan": "2025.10.1",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://mvnrepository.com/artifact/org.neo4j/",
"defaultStatus": "unaffected",
"packageName": "neo4j",
"product": "Community Edition",
"repo": "https://github.com/neo4j/neo4j",
"vendor": "neo4j",
"versions": [
{
"lessThan": "5.26.15",
"status": "affected",
"version": "5.26.0",
"versionType": "semver"
},
{
"lessThan": "2025.10.1",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.26.15",
"versionStartIncluding": "5.26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.10.1",
"versionStartIncluding": "2025.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neo4j:community_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.26.15",
"versionStartIncluding": "5.26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:neo4j:community_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.10.1",
"versionStartIncluding": "2025.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses."
}
],
"impacts": [
{
"capecId": "CAPEC-410",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-410 Information Elicitation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/V:D/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-226",
"description": "CWE-226: Sensitive Information in Resource Not Removed Before Reuse",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T10:20:17.254Z",
"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6",
"shortName": "Neo4j"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://neo4j.com/security/cve-2025-11602"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Untargeted information leak in Bolt protocol handshake",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6",
"assignerShortName": "Neo4j",
"cveId": "CVE-2025-11602",
"datePublished": "2025-10-31T10:20:17.254Z",
"dateReserved": "2025-10-10T12:54:22.071Z",
"dateUpdated": "2025-10-31T11:37:44.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11602 (GCVE-0-2025-11602)
Vulnerability from nvd – Published: 2025-10-31 10:20 – Updated: 2025-10-31 11:37
VLAI?
Summary
Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.
Severity ?
CWE
- CWE-226 - Sensitive Information in Resource Not Removed Before Reuse
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| neo4j | Enterprise Edition |
Affected:
5.26.0 , < 5.26.15
(semver)
Affected: 2025.1.0 , < 2025.10.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T11:36:06.456339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T11:37:44.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise Edition",
"vendor": "neo4j",
"versions": [
{
"lessThan": "5.26.15",
"status": "affected",
"version": "5.26.0",
"versionType": "semver"
},
{
"lessThan": "2025.10.1",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://mvnrepository.com/artifact/org.neo4j/",
"defaultStatus": "unaffected",
"packageName": "neo4j",
"product": "Community Edition",
"repo": "https://github.com/neo4j/neo4j",
"vendor": "neo4j",
"versions": [
{
"lessThan": "5.26.15",
"status": "affected",
"version": "5.26.0",
"versionType": "semver"
},
{
"lessThan": "2025.10.1",
"status": "affected",
"version": "2025.1.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.26.15",
"versionStartIncluding": "5.26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.10.1",
"versionStartIncluding": "2025.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neo4j:community_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.26.15",
"versionStartIncluding": "5.26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:neo4j:community_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.10.1",
"versionStartIncluding": "2025.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses."
}
],
"impacts": [
{
"capecId": "CAPEC-410",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-410 Information Elicitation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/V:D/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-226",
"description": "CWE-226: Sensitive Information in Resource Not Removed Before Reuse",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T10:20:17.254Z",
"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6",
"shortName": "Neo4j"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://neo4j.com/security/cve-2025-11602"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Untargeted information leak in Bolt protocol handshake",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6",
"assignerShortName": "Neo4j",
"cveId": "CVE-2025-11602",
"datePublished": "2025-10-31T10:20:17.254Z",
"dateReserved": "2025-10-10T12:54:22.071Z",
"dateUpdated": "2025-10-31T11:37:44.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}