CVE-2025-4949
Eclipse JGit XML External Entity (XXE) Vulnerability
5.3
MEDIUM
CVSS 3.1
EPSS 0.20%
Description
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
How to fix CVE-2025-4949
To remediate CVE-2025-4949, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 7.2.1.202505142326-r or later
Is CVE-2025-4949 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- >= 7.2.0.202503040940-r, < 7.2.1.202505142326-r
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H |