CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4949: XXE vulnerability in Eclipse JGit

6.8 CVSS

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

Classification

CVE ID: CVE-2025-4949

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green

Problem Types

CWE-611 Improper Restriction of XML External Entity Reference CWE-827 Improper Control of Document Type Definition

Affected Products

Vendor: Eclipse JGit

Product: Eclipse JGit

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 23.24% (scored less or equal to compared to others)

EPSS Date: 2025-06-19 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4949
https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
https://gitlab.eclipse.org/security/cve-assignement/-/issues/64

Timeline

2025-05-21 07:40:19 UTC
CVE

XXE vulnerability in Eclipse JGit
2025-05-22 19:15:22 UTC
Github Advisory Database (Maven)

[org.eclipse.jgit:org.eclipse.jgit] Eclipse JGit XML External Entity (XXE) Vulnerability