CVE-2025-4949 is a security vulnerability identified in Eclipse JGit versions 7.2.0.202503040940-r and earlier. The vulnerability stems from improper restriction of XML External Entity (XXE) references within the ManifestParser class, which is utilized by the 'repo' command, and the AmazonS3 class, which supports an experimental Amazon S3 git transport protocol. This protocol allows git pack files to be stored in Amazon S3 buckets. The vulnerability arises during XML parsing operations where external entity references are not adequately controlled, enabling an attacker to craft malicious XML input that can exploit the XML parser's behavior. Exploitation of this XXE vulnerability can lead to multiple security issues including information disclosure, denial of service (DoS), and potentially other impacts depending on the context of use. Specifically, an attacker could leverage the vulnerability to read arbitrary files from the host system, cause application crashes, or induce resource exhaustion. The vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-827 (Improper Control of Dynamically-Managed Code Resources). The CVSS 4.0 base score is 6.8, indicating a medium severity level. The attack vector is network-based (AV:N), but requires high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:A). The vulnerability impacts confidentiality primarily, with some impact on availability, and requires that the attacker can induce the vulnerable XML parsing with crafted input. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may require updates from the vendor or configuration changes to disable vulnerable features or XML external entity processing.

For European organizations, this vulnerability poses a moderate risk particularly to those using Eclipse JGit in their development workflows, especially if they utilize the experimental Amazon S3 git transport protocol or the 'repo' command that parses XML manifests. The information disclosure risk could lead to leakage of sensitive internal data or credentials if attackers can exploit the XXE to access local files or internal network resources. Denial of service could disrupt development pipelines or continuous integration systems relying on JGit, impacting operational continuity. Since JGit is widely used in software development environments, organizations with large-scale or distributed development teams, including those in sectors like finance, manufacturing, and government, could face increased exposure. The requirement for user interaction and low privileges reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks. Additionally, organizations using cloud storage integrations with Amazon S3 for git repositories should be particularly cautious, as this expands the attack surface. The medium severity suggests that while urgent, the threat is not critical, but ignoring it could lead to escalated risks in environments where XML parsing is frequent and trusted.

European organizations should take immediate steps to mitigate this vulnerability even before an official patch is released. First, review and restrict the use of the experimental Amazon S3 git transport protocol; consider disabling it if not essential. Second, configure XML parsers used by JGit or related tools to disable external entity processing and DTDs, effectively preventing XXE exploitation. This can often be done by setting secure parser features such as 'disallow-doctype-decl' and disabling external entity resolution. Third, audit and monitor usage of the 'repo' command and any XML manifest files for suspicious or unexpected inputs. Fourth, implement strict access controls and network segmentation to limit exposure of development systems to untrusted users or networks. Fifth, keep an eye on vendor advisories for patches or updates and plan for prompt application once available. Finally, educate developers and DevOps teams about the risks of XXE vulnerabilities and encourage secure coding and configuration practices around XML processing.