CVE-2025-12738 is an information disclosure vulnerability classified under CWE-200 that affects Neo4j Enterprise Edition versions prior to 2025.11.2 and 5.26.17. The flaw arises because an attacker who has some level of legitimate access to the database, but lacks read permissions on specific properties, can still infer the values of those properties. This is achieved by attempting to SET the property to various values and observing the resulting error messages, which leak information about the correctness or existence of those values. The vulnerability exploits the way error messages are generated and returned during property modification attempts, effectively allowing an attacker to enumerate possible property values without direct read access. This side-channel information leak can expose sensitive data that should otherwise be protected. The vulnerability does not require user interaction and can be exploited remotely if the attacker has authenticated access with limited privileges. The CVSS 4.0 base score is 1.3, reflecting low severity due to the limited scope and impact. No known exploits have been reported in the wild, and the vendor has addressed the issue in versions 2025.11.2 and 5.26.17. Organizations using affected versions should upgrade promptly to prevent potential information leakage.

For European organizations, the primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in Neo4j databases. Although the attacker must have some legitimate access, the ability to infer property values without direct read permissions undermines data confidentiality controls. This could lead to exposure of personal data, intellectual property, or other confidential business information, potentially violating GDPR and other data protection regulations. The vulnerability does not affect data integrity or availability, so operational disruption is unlikely. However, the confidentiality breach could facilitate further attacks or insider threats. Sectors such as finance, telecommunications, healthcare, and government agencies in Europe that use Neo4j for complex data relationships and analytics are particularly at risk. The low severity score suggests limited immediate risk, but the sensitivity of exposed data and regulatory implications elevate the importance of mitigation.

1. Upgrade Neo4j Enterprise Edition to version 2025.11.2 or 5.26.17 or later, where the vulnerability is fixed. 2. Review and tighten database access controls to minimize the number of users with any level of access, especially those with write permissions that could be exploited for enumeration. 3. Implement monitoring and alerting for unusual SET property operations or repeated failed attempts that could indicate enumeration activity. 4. Consider application-layer controls to limit the exposure of detailed error messages to authenticated users, potentially customizing error handling to avoid leaking sensitive information. 5. Conduct regular audits of database permissions and logs to detect potential misuse. 6. Educate database administrators and developers about the risks of information leakage through error messages and encourage secure coding and configuration practices.