CVE-2025-4949 Overview
CVE-2025-4949 is an XML External Entity (XXE) vulnerability affecting Eclipse JGit versions 7.2.0.202503040940-r and older. The vulnerability exists in two components: the ManifestParser class used by the repo command and the AmazonS3 class that implements the experimental amazons3 git transport protocol for storing git pack files in Amazon S3 buckets. When parsing XML files, these classes fail to properly disable external entity processing, making them susceptible to XXE attacks.
Critical Impact
Successful exploitation of this XXE vulnerability can lead to information disclosure through file exfiltration, denial of service attacks, and server-side request forgery (SSRF) to internal systems.
Affected Products
- Eclipse JGit versions up to and including 7.2.0.202503040940-r
- Eclipse JGit 7.x branch (prior to 7.2.1)
- Eclipse JGit 6.x branch (prior to 6.10.1)
- Eclipse JGit 5.x branch (prior to 5.13.4)
- Eclipse JGit 7.0.x and 7.1.x branches (prior to 7.0.1 and 7.1.1)
Discovery Timeline
- 2025-05-21 - CVE-2025-4949 published to NVD
- 2026-01-05 - Last updated in NVD database
Technical Details for CVE-2025-4949
Vulnerability Analysis
This vulnerability falls under CWE-611 (Improper Restriction of XML External Entity Reference). The affected components in Eclipse JGit parse XML input without properly configuring the XML parser to disable external entity processing. This architectural flaw allows attackers who can control or influence XML input to these components to inject malicious external entity declarations.
The ManifestParser class is used when processing repository manifests via the repo command, while the AmazonS3 class handles XML responses when using the experimental Amazon S3 git transport protocol. Both components process XML data from potentially untrusted sources without adequate security controls.
The attack requires network access and authenticated privileges, with some user interaction needed. While the attack complexity is high, successful exploitation can result in high confidentiality impact on both the vulnerable system and connected systems.
Root Cause
The root cause is the failure to properly configure XML parsers in the ManifestParser and AmazonS3 classes to disable Document Type Definition (DTD) processing and external entity resolution. When XML parsers are instantiated with default settings, they typically allow external entity processing, which creates a security vulnerability when parsing untrusted XML content.
Attack Vector
The attack is conducted over the network and targets the XML parsing functionality in Eclipse JGit. An attacker can craft malicious XML content containing external entity declarations that, when processed by the vulnerable components, can:
- Information Disclosure: Read arbitrary files from the server file system by defining external entities that reference local files (e.g., /etc/passwd, configuration files, or application secrets)
- Server-Side Request Forgery (SSRF): Make the server perform HTTP requests to internal services or external systems
- Denial of Service: Cause resource exhaustion through recursive entity expansion (billion laughs attack) or by referencing slow or non-responsive external resources
The vulnerability is triggered when a user interacts with malicious repository manifests or when the AmazonS3 transport processes crafted XML responses.
Detection Methods for CVE-2025-4949
Indicators of Compromise
- Unexpected outbound network connections from JGit processes to internal or external IP addresses
- Access to sensitive files such as /etc/passwd, SSH keys, or application configuration files from JGit-related processes
- XML parsing errors in logs containing references to external DTDs or entity declarations
- Unusual resource consumption or timeouts during XML processing operations
Detection Strategies
- Monitor application logs for XML parsing exceptions or errors related to external entity resolution
- Implement network monitoring to detect unexpected outbound connections from systems running JGit
- Use file integrity monitoring on sensitive system files to detect unauthorized access attempts
- Deploy web application firewalls (WAF) with XXE detection rules for systems processing XML through JGit
Monitoring Recommendations
- Enable verbose logging for JGit operations involving manifest parsing and S3 transport
- Configure network monitoring to alert on DNS lookups or HTTP requests to unexpected domains from JGit processes
- Implement security information and event management (SIEM) rules to correlate XML-related errors with potential exploitation attempts
How to Mitigate CVE-2025-4949
Immediate Actions Required
- Upgrade Eclipse JGit to patched versions: 7.2.1, 7.1.1, 7.0.1, 6.10.1, or 5.13.4 depending on your version branch
- Review and restrict network access for systems running JGit to limit potential SSRF impact
- Audit systems for unauthorized file access that may indicate prior exploitation
- Implement input validation for XML content processed by JGit components
Patch Information
Eclipse has released patched versions across multiple version branches to address this vulnerability. Organizations should upgrade to the appropriate version based on their current deployment:
- Eclipse JGit Release 7.2.1 - For users on the 7.2.x branch
- Eclipse JGit Release 7.1.1 - For users on the 7.1.x branch
- Eclipse JGit Release 7.0.1 - For users on the 7.0.x branch
- Eclipse JGit Release 6.10.1 - For users on the 6.x branch
- Eclipse JGit Release 5.13.4 - For users on the 5.x branch
For additional details, refer to the GitLab Vulnerability Report.
Workarounds
- If immediate patching is not possible, avoid using the repo command with untrusted manifest files
- Disable or restrict use of the experimental amazons3 git transport protocol until patched
- Implement network segmentation to limit the impact of potential SSRF attacks
- Configure XML parsers at the JVM level to disable external entity processing where possible
# Example: Update JGit dependency in Maven pom.xml
# Replace with the appropriate patched version for your branch
# For Maven projects, update the JGit version:
# <dependency>
# <groupId>org.eclipse.jgit</groupId>
# <artifactId>org.eclipse.jgit</artifactId>
# <version>7.2.1.202505142326-r</version>
# </dependency>
# Verify the installed version
mvn dependency:tree | grep jgit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
