CVE-2025-4949

Public Exploit

XXE vulnerability in Eclipse JGit

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

References

Link	Tags
https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1	release notes
https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1	release notes
https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1	release notes
https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1	release notes
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281	exploit issue tracking
https://gitlab.eclipse.org/security/cve-assignement/-/issues/64	vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-4949?: CVE-2025-4949 has been scored as a medium severity vulnerability.
How to fix CVE-2025-4949?: To fix CVE-2025-4949, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-4949 being actively exploited in the wild?: It is possible that CVE-2025-4949 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4949?: CVE-2025-4949 affects Eclipse JGit Eclipse JGit, Eclipse JGit Eclipse JGit.

Description

Category

CWE-611 – Improper Restriction of XML External Entity Reference

References

Frequently Asked Questions