CVE-2025-4949

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.eclipse.org/security/cve-assignement/-/issues/64	Vendor Advisory Issue Tracking
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281	Exploit Issue Tracking
https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1	Release Notes
https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1	Release Notes
https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1	Release Notes
https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1	Release Notes
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*

History

17 Jun 2025, 14:10

Type	Values Removed	Values Added
References	~~() https://gitlab.eclipse.org/security/cve-assignement/-/issues/64 -~~	() https://gitlab.eclipse.org/security/cve-assignement/-/issues/64 - Vendor Advisory, Issue Tracking
References	~~() https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281 -~~	() https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281 - Exploit, Issue Tracking
References	~~() https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1 -~~	() https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1 - Release Notes
References	~~() https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1 -~~	() https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1 - Release Notes
References	~~() https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1 -~~	() https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1 - Release Notes
References	~~() https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1 -~~	() https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1 - Release Notes
CPE		cpe:2.3:a:eclipse:jgit::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Eclipse Eclipse jgit

23 May 2025, 07:15

Type	Values Removed	Values Added
References		() https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1 - () https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1 - () https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1 -
Summary		(es) En las versiones 7.2.0.202503040940-r y anteriores de Eclipse JGit, la clase ManifestParser, utilizada por el comando repo, y la clase AmazonS3, utilizada para implementar el protocolo experimental de transporte de Git amazons3, que permite almacenar archivos de paquetes de Git en un bucket de Amazon S3, son vulnerables a ataques de Entidad Externa XML (XXE) al analizar archivos XML. Esta vulnerabilidad puede provocar divulgación de información, denegación de servicio y otros problemas de seguridad.

21 May 2025, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 07:16

Updated : 2025-06-17 14:10

NVD link : CVE-2025-4949

Mitre link : CVE-2025-4949

CVE.ORG link : CVE-2025-4949

JSON object : View

Products Affected

eclipse

jgit

CWE

CWE-611

Improper Restriction of XML External Entity Reference

CWE-827

Improper Control of Document Type Definition

9.8 /10