Is CVE-2025-4949 actively exploited?

CVE-2025-4949 has no public evidence of in-the-wild exploitation as of 2026-01-05.

What is the CVSS score for CVE-2025-4949?

CVE-2025-4949 has a CVSS score of 6.8 (MEDIUM severity). Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green.

How do I patch CVE-2025-4949?

Patch guidance is available from eclipse security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-4949.

CVE-2025-4949 - remediation guidance & executive summary

Q: Which products are affected by CVE-2025-4949?

5 products: eclipse jgit, eclipse jgit, eclipse jgit, eclipse jgit, eclipse jgit.

Description

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

CVSS Metrics

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
Attack Vector: network
Complexity: high
Privileges: low
User Action: active
Confidentiality: undefined
Integrity: undefined
Availability: undefined
Weaknesses: CWE-611 · XML External Entity (XXE)CWE-827 CWE-611 · XML External Entity (XXE)

Metadata

Primary Vendor: ECLIPSE
Published: 5/21/2025
Last Modified: 1/5/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2025-4949

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary