CVE-2025-4949

CVSS v4.0

6.8

Medium

Vector

AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Eclipse JGit versions 7.2.0.202503040940-r and older

Description The ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This can lead to information disclosure, denial of service, and other security issues.

Recommendations For Eclipse JGit versions 7.2.0.202503040940-r and older, consider disabling the ManifestParser class and the AmazonS3 class until a patch is available. Restrict access to the experimental amazons3 git transport protocol to minimize the risk of exploitation. Avoid using the affected classes for parsing XML files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-827CWE-611

Related Identifiers

BDU:2026-01705

CVE-2025-4949

ECHO-6D20-537B-EF6E

GHSA-VRPQ-QP53-QV56

OPENSUSE-SU-2025:15232-1

RHSA-2025:22187

RHSA-2025:22188

RHSA-2025:22773

RHSA-2025:22775

RHSA-2026:4915

RHSA-2026:4916

RHSA-2026:4917

RHSA-2026:6011

SUSE-SU-2025:02762-1

SUSE-SU-2025_02762-1

Affected Products

Debian

Eclipse Jgit

Suse

CVE-2025-4949

Weakness Enumeration

Related Identifiers

Affected Products

References · 32