CVE-2025-4949

Source
https://cve.org/CVERecord?id=CVE-2025-4949
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4949.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-4949
Aliases
Downstream
Related
Published
2025-05-21T06:47:19.777Z
Modified
2026-07-01T12:12:26.027234261Z
Severity
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green CVSS Calculator
Summary
XXE vulnerability in Eclipse JGit
Details

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/4xxx/CVE-2025-4949.json",
    "cna_assigner": "eclipse",
    "cwe_ids": [
        "CWE-611",
        "CWE-827"
    ]
}
References

Affected packages

Git / github.com/eclipse-jgit/jgit

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-jgit/jgit
Events
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.13.4"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.10.1.202505221210"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.1.202505221510"
        },
        {
            "introduced": "7.1.0"
        },
        {
            "fixed": "7.1.1.202505221757"
        },
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.2.1.202505142326"
        }
    ],
    "cpe": "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*"
}

Affected versions

v0.*
v0.11.1
v0.8.1
v1.*
v1.1.0.201109011030-rc2
v1.1.0.201109071825-rc3
v1.1.0.201109151100-r
v2.*
v2.2.0.201212191850-r
v3.*
v3.4.0.201405051725-m7
v3.4.0.201405211411-rc1
v3.6.0.201411121045-m1
v5.*
v5.13.0.202108250949-m3
v5.13.0.202109011149-rc1
v5.13.0.202109080827-r
v5.13.1.202206130422-r
v5.13.2.202306221912-r
v5.13.3.202401111512-r
v6.*
v6.10.0.202405212237-m3
v6.10.0.202405282244-rc1
v6.10.0.202405290101-rc1
v6.10.0.202406032110-r
v6.10.0.202406032230-r
v7.*
v7.0.0.202407101547-m1
v7.0.0.202407311305-m2
v7.0.0.202408201547-m3
v7.0.0.202408271414-rc1
v7.0.0.202409031743-r
v7.0.0.202409201410-m3
v7.1.0.202410012040-m1
v7.1.0.202410232130-m2
v7.1.0.202411121450-m3
v7.1.0.202411191359-rc1
v7.1.0.202411261347-r
v7.2.0.202501291320-m2
v7.2.0.202502191417-m3
v7.2.0.202502261823-rc1
v7.2.0.202503040940-r

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-4949.json"