CVE-2025-4949: 
Java vulnerability analysis and mitigation

In Eclipse JGit versions 7.2.0.202503040940-r and older, a vulnerability was discovered affecting the ManifestParser class and AmazonS3 class. The vulnerability allows XML External Entity (XXE) attacks when parsing XML files through the repo command and the experimental amazons3 git transport protocol used for storing git pack files in Amazon S3 buckets. The issue was discovered by Simon Gerst and assigned CVE-2025-4949 (Eclipse Issue).

The vulnerability stems from improper configuration of SAXParser in both the ManifestParser and AmazonS3 classes, where XML files are parsed without disabling external entity processing. The issue has been assigned a CVSS 4.0 score of 6.8 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green. The vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-827 (Improper Control of Document Type Definition) (NVD).

The vulnerability can lead to information disclosure, denial of service, and other security issues. When exploited, an attacker can read local system files and potentially perform server-side request forgery (SSRF) attacks. While there are limitations on exfiltrating files containing linebreaks due to Java's URL handling, researchers suggest there might be ways to bypass this restriction through different encoding techniques (Eclipse Report).

The vulnerability has been fixed in JGit version 7.2.1.202505142326-r by implementing proper XML parser hardening. The fix involves setting specific features on the XMLReader instance to disable external parameter entities and external general entities. Users are advised to upgrade to the patched version (Eclipse Release).