CVE-2025-4949 - Improper Restriction of XML External Entity Reference

Severity

98%

Complexity

39%

Confidentiality

98%

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

CVSS 3.1 Base Score 9.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Overview

First reported 2 months ago

2025-05-21 07:16:00

Last updated 1 month ago

2025-06-17 14:10:00

Affected Software

Eclipse JGit

References

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.

CVE-2025-4949 - Improper Restriction of XML External Entity Reference

Severity

What is severity?

Complexity

What is complexity?

Confidentiality

What is confidentiality?

Overview

First reported 2 months ago

Last updated 1 month ago

Affected Software

Eclipse JGit

References

https://gitlab.eclipse.org/security/cve-assignement/-/issues/64

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281

https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1

https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1

https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1

https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1

Stay updated

Get in touch