CVE-2025-4949
XML External Entity (XXE) vulnerability in org.eclipse.jgit (Maven)

XML External Entity (XXE) No known exploit

What is CVE-2025-4949 About?

This vulnerability in Eclipse JGit allows for XML External Entity (XXE) attacks when parsing XML files, specifically through the `ManifestParser` and `AmazonS3` classes. Successful exploitation can lead to information disclosure, denial of service, and other security issues, posing a significant risk to data confidentiality and system availability. Exploiting this vulnerability would likely involve supplying a malicious XML file, making it moderately easy to leverage given the right context.

Affected Software

  • org.eclipse.jgit:org.eclipse.jgit
    • >7.1.0.202411261347-r, <7.1.1.202505221757-r
    • <6.10.1.202505221210-r
    • >7.0.0.202409031743-r, <7.0.1.202505221510-r
    • >7.2.0.202503040940-r, <7.2.1.202505142326-r

Technical Details

The vulnerability resides in Eclipse JGit versions 7.2.0.202503040940-r and older, specifically within the ManifestParser class used by the repo command and the AmazonS3 class which implements the experimental amazons3 git transport protocol. Both classes are susceptible to XML External Entity (XXE) attacks when parsing XML files. An attacker can craft a malicious XML file that, when processed by these components, includes external entities. This allows for various attack vectors, such as reading arbitrary local files (information disclosure), initiating denial-of-service attacks by causing the parser to access internal or external resources excessively, or potentially performing server-side request forgery (SSRF) if the XML parser allows external URI resolution.

What is the Impact of CVE-2025-4949?

Successful exploitation may allow attackers to achieve information disclosure, leading to exposure of sensitive data, cause a denial of service, rendering the service unavailable, or enable server-side request forgery.

What is the Exploitability of CVE-2025-4949?

Exploitation typically involves supplying a specially crafted XML file to a component that uses the vulnerable ManifestParser or AmazonS3 class for parsing. The complexity level is moderate, as it requires knowledge of XXE attack vectors and the system's XML processing. There are no explicit authentication requirements for the XXE initial trigger if the application processes untrusted XML. This could be considered a remote exploit if the XML file is uploaded or provided through a remote interface, or local if it involves manipulating local files. The primary prerequisite is that the system processes attacker-controlled XML input through the affected JGit components. Special conditions relate to how XML input is handled and if external entity resolution is enabled or can be enabled.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-4949?

Available Upgrade Options

  • org.eclipse.jgit:org.eclipse.jgit
    • <6.10.1.202505221210-r → Upgrade to 6.10.1.202505221210-r
  • org.eclipse.jgit:org.eclipse.jgit
    • >7.0.0.202409031743-r, <7.0.1.202505221510-r → Upgrade to 7.0.1.202505221510-r
  • org.eclipse.jgit:org.eclipse.jgit
    • >7.1.0.202411261347-r, <7.1.1.202505221757-r → Upgrade to 7.1.1.202505221757-r
  • org.eclipse.jgit:org.eclipse.jgit
    • >7.2.0.202503040940-r, <7.2.1.202505142326-r → Upgrade to 7.2.1.202505142326-r

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-4949?

Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-22965 , CVE-2021-35561 , CVE-2018-8012 , CVE-2017-9804

All Rights reserved 2025
Privacy Policy