CVE-2025-4949

MEDIUM

Eclipse Jgit < 5.13.4 - Denial of Service

Title source: rule

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

References (7)

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1

[Exploit, Issue Tracking] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281

[Issue Tracking, Vendor Advisory] https://gitlab.eclipse.org/security/cve-assignement/-/issues/64

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4

Scores

CVSS v3 5.3

EPSS 0.0020

EPSS Percentile 41.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-611 CWE-827

Status published

Products (2)

eclipse/jgit < 5.13.4

org.eclipse.jgit/org.eclipse.jgit 7.2.0.202503040940-r - 7.2.1.202505142326-rMaven

Published May 21, 2025

Tracked Since Feb 18, 2026