CVE-2025-4949

MEDIUM

Eclipse Jgit < 5.13.4 - Denial of Service

Title source: rule

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

References (7)

[Issue Tracking, Vendor Advisory] https://gitlab.eclipse.org/security/cve-assignement/-/issues/64

[Exploit, Issue Tracking] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1

[Release Notes] https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-611 CWE-827

Status published

Affected Products (2)

eclipse/jgit < 5.13.4

org.eclipse.jgit/org.eclipse.jgit < 7.2.1.202505142326-rMaven

Timeline

Published May 21, 2025

Tracked Since Feb 18, 2026