CVE-2025-4949 MEDIUM

CVE-2025-4949: XXE vulnerability in Eclipse JGit

Vendor Eclipse Jgit
Product Eclipse JGit
Weakness CWE-611 · XXE
Published May 21, 2025
Last update October 14, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green

What the vulnerability does

01Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

Key dates

02Disclosure timeline

May 21, 2025 CVE published
October 14, 2025 Record updated