CVE-2025-4949 — XML External Entity (XXE) Injection in Jgit

CWE-611 — XML External Entity (XXE) Injection CWE-827 — Improper Control of Document Type Definition9 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 58.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jgit Eclipse Jgit

Timeline

PublishedMay 21

Latest updateJan 15

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N

Affected Packages2 packages

▶NVDeclipse/jgit6.0.0 — 6.10.1.202505221210+4

▶CVEListV5eclipse_jgit/eclipse_jgit7.2.0 — 7.2.1.202505142326-r+4

🔴Vulnerability Details

GHSA

Eclipse JGit XML External Entity (XXE) Vulnerability↗2025-05-21

▶

CVEList

XXE vulnerability in Eclipse JGit↗2025-05-21

▶

OSV

CVE-2025-4949: In Eclipse JGit versions 7↗2025-05-21

▶

OSV

Eclipse JGit XML External Entity (XXE) Vulnerability↗2025-05-21

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Security (Eclipse JGit) — CVE-2025-4949↗2026-01-15

▶

Oracle

Oracle Oracle Database Server Risk Matrix: SQLcl (jgit) — CVE-2025-4949↗2025-10-15

▶

Red Hat

org.eclipse.jgit: XXE vulnerability in Eclipse JGit↗2025-05-21

▶

Debian

CVE-2025-4949: jgit - In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser clas...↗2025

▶