CVE-2025-4949: 
Java vulnerability analysis and mitigation

In Eclipse JGit versions 7.2.0.202503040940-r and older, a vulnerability was discovered in the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol. The vulnerability allows XML External Entity (XXE) attacks when parsing XML files through these components. The issue was discovered by Simon Gerst and was assigned CVE-2025-4949 (Eclipse Issue).

The vulnerability stems from improper configuration of SAXParser in both the ManifestParser and AmazonS3 classes, where XML files are parsed without disabling external entity processing. The issue has been assigned a CVSS 4.0 score of 6.8 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green. The vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-827 (Improper Control of Document Type Definition) (NVD, Wiz Report).

The vulnerability can lead to information disclosure, denial of service, and other security issues. When exploited, an attacker can read local system files and potentially perform server-side request forgery (SSRF) attacks. While there are limitations on exfiltrating files containing linebreaks due to Java's URL handling, researchers suggest there might be ways to bypass this restriction through different encoding techniques (Eclipse Report).

The vulnerability has been fixed in JGit version 7.2.1.202505142326-r by implementing proper XML parser hardening. The fix involves setting specific features on the XMLReader instance to disable external parameter entities and external general entities. Users are advised to upgrade to the patched version. The fix has been backported to versions 6.10.1, 7.0.1, and 7.1.1 (Eclipse Release).