Moderate severityNVD Advisory· Published May 21, 2025· Updated Oct 14, 2025
XXE vulnerability in Eclipse JGit
CVE-2025-4949
Description
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jgit:org.eclipse.jgitMaven | >= 7.2.0.202503040940-r, < 7.2.1.202505142326-r | 7.2.1.202505142326-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 7.1.0.202411261347-r, < 7.1.1.202505221757-r | 7.1.1.202505221757-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 7.0.0.202409031743-r, < 7.0.1.202505221510-r | 7.0.1.202505221510-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 6.1.0.202203080745-r, < 6.10.1.202505221210-r | 6.10.1.202505221210-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 6.0.0.202110060947-m1, < 6.0.0.202111291000-r | 6.0.0.202111291000-r |
org.eclipse.jgit:org.eclipse.jgitMaven | < 5.13.4.202507202350-r | 5.13.4.202507202350-r |
Affected products
48- osv-coords47 versionspkg:apk/chainguard/apache-nifi-registrypkg:apk/chainguard/apache-nifi-registry-toolkitpkg:apk/chainguard/apicurio-registrypkg:apk/chainguard/apicurio-registry-nginx-configpkg:apk/chainguard/apicurio-registry-uipkg:apk/chainguard/gradle-8pkg:apk/chainguard/nextflowpkg:apk/chainguard/nextflow-compatpkg:apk/chainguard/sonarqube-10pkg:apk/chainguard/sonarqube-10-docker-compatpkg:apk/chainguard/sonarqube-10-scriptspkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/apache-nifi-registrypkg:apk/wolfi/apache-nifi-registry-toolkitpkg:apk/wolfi/apicurio-registrypkg:apk/wolfi/apicurio-registry-nginx-configpkg:apk/wolfi/apicurio-registry-uipkg:apk/wolfi/gradle-8pkg:apk/wolfi/nextflowpkg:apk/wolfi/nextflow-compatpkg:apk/wolfi/sonarqube-10pkg:apk/wolfi/sonarqube-10-docker-compatpkg:apk/wolfi/sonarqube-10-scriptspkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/org.eclipse.jgit/org.eclipse.jgitpkg:rpm/opensuse/eclipse-jgit&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/jgit&distro=openSUSE%20Tumbleweedpkg:rpm/suse/jgit&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/jgit&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7
< 2.4.0-r1+ 46 more
- (no CPE)range: < 2.4.0-r1
- (no CPE)range: < 2.4.0-r1
- (no CPE)range: < 3.0.7-r1
- (no CPE)range: < 3.0.7-r1
- (no CPE)range: < 3.0.7-r1
- (no CPE)range: < 8.14.1-r1
- (no CPE)range: < 25.04.2-r1
- (no CPE)range: < 25.04.2-r1
- (no CPE)range: < 25.5.0.107428-r1
- (no CPE)range: < 25.5.0.107428-r1
- (no CPE)range: < 25.5.0.107428-r1
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 2.4.0-r1
- (no CPE)range: < 2.4.0-r1
- (no CPE)range: < 3.0.7-r1
- (no CPE)range: < 3.0.7-r1
- (no CPE)range: < 3.0.7-r1
- (no CPE)range: < 8.14.1-r1
- (no CPE)range: < 25.04.2-r1
- (no CPE)range: < 25.04.2-r1
- (no CPE)range: < 25.5.0.107428-r1
- (no CPE)range: < 25.5.0.107428-r1
- (no CPE)range: < 25.5.0.107428-r1
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 4.0.1-r2
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: < 36.0.1-r1
- (no CPE)range: >= 7.2.0.202503040940-r, < 7.2.1.202505142326-r
- (no CPE)range: < 5.11.0-150200.3.23.1
- (no CPE)range: < 5.11.0-2.1
- (no CPE)range: < 5.11.0-150200.3.23.1
- (no CPE)range: < 5.11.0-150200.3.23.1
- Eclipse JGit/Eclipse JGitv5Range: 7.2.0
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-vrpq-qp53-qv56ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4949ghsaADVISORY
- gitlab.eclipse.org/security/cve-assignement/-/issues/64ghsaissue-trackingWEB
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/281ghsaissue-trackingWEB
- projects.eclipse.org/projects/technology.jgit/releases/5.13.4ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/5.13.5ghsaWEB
- projects.eclipse.org/projects/technology.jgit/releases/6.10.1ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/7.0.1ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/7.1.1ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/7.2.1ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.