CVE-2025-4949: Eclipse JGit XML External Entity (XXE) Vulnerability
(updated )
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
References
- github.com/advisories/GHSA-vrpq-qp53-qv56
- github.com/eclipse-jgit/jgit
- gitlab.eclipse.org/security/cve-assignement/-/issues/64
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
- nvd.nist.gov/vuln/detail/CVE-2025-4949
- projects.eclipse.org/projects/technology.jgit/releases/5.13.4
- projects.eclipse.org/projects/technology.jgit/releases/6.10.1
- projects.eclipse.org/projects/technology.jgit/releases/7.0.1
- projects.eclipse.org/projects/technology.jgit/releases/7.1.1
- projects.eclipse.org/projects/technology.jgit/releases/7.2.1
Code Behaviors & Features
Detect and mitigate CVE-2025-4949 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →