CVE-2025-12738 Overview
CVE-2025-12738 is an information disclosure vulnerability affecting Neo4j Enterprise edition. The vulnerability exists in versions prior to 2025.11.2 and 5.26.17, allowing an attacker with limited legitimate database access to infer property values without proper read permissions. This is achieved through error message enumeration when attempting SET operations on properties, exposing sensitive data through verbose error responses.
Critical Impact
Authenticated attackers can bypass read access controls and enumerate sensitive property values through error message analysis, potentially exposing confidential database information.
Affected Products
- Neo4j Enterprise edition versions prior to 2025.11.2
- Neo4j Enterprise edition versions prior to 5.26.17
Discovery Timeline
- 2026-01-22 - CVE CVE-2025-12738 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-12738
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue lies in Neo4j Enterprise's handling of error messages during property modification operations. When an authenticated user without read permissions on a property attempts to set its value, the database returns error messages that vary based on the existing property value. This differential response behavior creates a side channel that attackers can exploit to infer protected information.
The attack requires network access and authenticated database credentials, but does not require specific read permissions on the targeted properties. An attacker can systematically enumerate possible property values by observing the differences in error responses, effectively bypassing the intended access control restrictions.
Root Cause
The root cause stems from improper information exposure in error handling logic. When processing SET property operations, Neo4j Enterprise fails to properly sanitize error messages, inadvertently revealing information about property values to users who lack read permissions. This violates the principle of least privilege by leaking protected data through a side channel in the error response mechanism.
Attack Vector
The attack is conducted over the network by an authenticated user with limited database access. The attacker does not need read permissions on the target property but must have some legitimate access to the Neo4j database. By attempting to set property values and analyzing the resulting error messages, the attacker can systematically enumerate all possible values until determining the actual stored value. This technique exploits the differential error responses as an oracle to reveal protected information.
The vulnerability manifests when an attacker sends multiple SET property requests with different candidate values and observes variations in the error messages returned by the database. The differences in error responses indicate whether the guessed value matches the actual property value. For detailed technical information, refer to the Neo4j Security Advisory CVE-2025-12738.
Detection Methods for CVE-2025-12738
Indicators of Compromise
- Unusual patterns of failed SET property operations from authenticated users
- High volume of property modification attempts targeting specific nodes or properties
- Repeated error responses related to property access violations in database logs
- Anomalous query patterns suggesting enumeration or brute-force activity
Detection Strategies
- Monitor Neo4j audit logs for excessive SET operation failures from individual user accounts
- Implement alerting on repetitive property modification attempts that result in access denied errors
- Correlate database activity logs with user permission levels to identify potential abuse
- Deploy database activity monitoring to detect enumeration patterns against protected properties
Monitoring Recommendations
- Enable comprehensive audit logging for all property modification operations in Neo4j
- Configure alerts for threshold violations on failed SET operations per user session
- Review database access logs regularly for signs of systematic property value enumeration
- Implement real-time monitoring of error message frequency by user and property combination
How to Mitigate CVE-2025-12738
Immediate Actions Required
- Upgrade Neo4j Enterprise to version 2025.11.2 or 5.26.17 or later immediately
- Review and audit current database user permissions and access control configurations
- Monitor database logs for signs of exploitation or enumeration attempts
- Restrict network access to Neo4j instances to trusted sources only
Patch Information
Neo4j has released patched versions that address this information disclosure vulnerability. Organizations should upgrade to Neo4j Enterprise edition version 2025.11.2 or 5.26.17 or above, where the issue is fixed. The patches modify error handling behavior to prevent information leakage through error message enumeration. For additional details, consult the Neo4j Security Advisory CVE-2025-12738.
Workarounds
- Implement network segmentation to limit database access to authorized services only
- Enhance monitoring and alerting for unusual property modification patterns
- Review and minimize user permissions to follow least privilege principles
- Consider implementing application-layer access controls as an additional defense layer
# Configuration example
# Review Neo4j version and plan upgrade
neo4j version
# Verify current installation and backup before upgrade
neo4j-admin database dump --database=neo4j --to-path=/backup/
# Follow Neo4j upgrade documentation to update to patched version
# Target versions: 2025.11.2 or 5.26.17 and above
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
