CVE-2025-4949

MEDIUM EPSS 60.9%
Published May 21, 20251y ago · Modified Jun 17, 20261w ago
6.8 CVSS 4.0
Medium
Find Similar
Published May 21, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

CVSS Details

Base Score
6.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction A
Scope N

Threat Intelligence

EPSS Exploit Probability
60.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-611
CWE-827

Affected Products 5

VendorProductVersionRange
eclipsejgit* <5.13.4
eclipsejgit*≥6.0.0  –  <6.10.1.202505221210
eclipsejgit*≥7.0.0  –  <7.0.1.202505221510
eclipsejgit*≥7.1.0  –  <7.1.1.202505221757
eclipsejgit*≥7.2.0  –  <7.2.1.202505142326

References 7

  • gitlab.eclipse.org https://gitlab.eclipse.org/security/cve-assignement/-/issues/64
    Issue TrackingVendor Advisory
  • gitlab.eclipse.org https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
    ExploitIssue Tracking
  • projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4
    Release Notes
  • projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1
    Release Notes
  • projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1
    Release Notes
  • projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1
    Release Notes
  • projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1
    Release Notes

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.