XXE vulnerability in Eclipse JGit
Description
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse JGit ManifestParser and AmazonS3 classes are vulnerable to XXE attacks when parsing XML, leading to information disclosure or denial of service.
Vulnerability
Overview
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class (used by the repo command) and the AmazonS3 class (implementing the experimental amazons3 git transport protocol) are vulnerable to XML External Entity (XXE) attacks. The flaw arises because these components do not properly disable DOCTYPE declarations or external entity processing when parsing XML files, allowing an attacker to inject malicious XML [1].
Exploitation and
Attack Surface
To exploit this vulnerability, an attacker must supply a crafted XML file to one of the vulnerable parsers. In the context of the repo command, this could occur when processing repository manifests. For AmazonS3, the attack can be triggered by providing a malicious XML response when the client interacts with an S3 bucket. No special authentication is necessarily required beyond the ability to cause the JGit application to parse attacker-controlled XML [1][4].
Impact
Successful exploitation can lead to information disclosure (e.g., reading local files via external entities), denial of service, or other security consequences depending on how the XML parser is configured. The vulnerability has been addressed in JGit release 7.0.1, where DOCTYPE and entity processing are explicitly disabled in both ManifestParser and AmazonS3 [4].
Mitigation
Status
Users should upgrade to Eclipse JGit 7.0.1 (or later) which contains the security fix [4]. As of the publication date, no workarounds have been detailed, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jgit:org.eclipse.jgitMaven | >= 7.2.0.202503040940-r, < 7.2.1.202505142326-r | 7.2.1.202505142326-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 7.1.0.202411261347-r, < 7.1.1.202505221757-r | 7.1.1.202505221757-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 7.0.0.202409031743-r, < 7.0.1.202505221510-r | 7.0.1.202505221510-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 6.1.0.202203080745-r, < 6.10.1.202505221210-r | 6.10.1.202505221210-r |
org.eclipse.jgit:org.eclipse.jgitMaven | >= 6.0.0.202110060947-m1, < 6.0.0.202111291000-r | 6.0.0.202111291000-r |
org.eclipse.jgit:org.eclipse.jgitMaven | < 5.13.4.202507202350-r | 5.13.4.202507202350-r |
Affected products
2- Range: <=7.2.0.202503040940-r
- Eclipse JGit/Eclipse JGitv5Range: 7.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-vrpq-qp53-qv56ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4949ghsaADVISORY
- gitlab.eclipse.org/security/cve-assignement/-/issues/64ghsaissue-trackingWEB
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/281ghsaissue-trackingWEB
- projects.eclipse.org/projects/technology.jgit/releases/5.13.4ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/5.13.5ghsaWEB
- projects.eclipse.org/projects/technology.jgit/releases/6.10.1ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/7.0.1ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/7.1.1ghsarelease-notesWEB
- projects.eclipse.org/projects/technology.jgit/releases/7.2.1ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.