CVE-2025-11602

Severity CVSS v4.0:

MEDIUM

Type:

CWE-226 Sensitive Information in Resource Not Removed Before Reuse

Publication date:

31/10/2025

Last modified:

04/11/2025

Description

Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/V:D/U:Clear CVSS v4.0 Severity and Metrics:

Base Score: 6.30 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/V:D/U:Clear

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None
Value Density (V): Diffuse
Provider Urgency (U): Clear

Base Score 4.0

6.30

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://neo4j.com/security/cve-2025-11602