// For flags

CVE-2025-4949

XXE vulnerability in Eclipse JGit

Severity Score

6.8
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

*Credits: Simon Gerst (intrigus-lgtm) https://intrigus.org
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
None
None
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-05-19 CVE Reserved
  • 2025-05-21 CVE Published
  • 2025-05-23 CVE Updated
  • 2025-05-23 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
  • CWE-827: Improper Control of Document Type Definition
CAPEC
  • CAPEC-201: Serialized Data External Linking
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
---- -