XML External Entity (XXE) Injection Affecting apicurio-registry package, versions <3.0.7-r1


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.09% (26th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CHAINGUARDLATEST-APICURIOREGISTRY-10244527
  • published25 May 2025
  • disclosed21 May 2025

Introduced: 21 May 2025

CVE-2025-4949  (opens in a new tab)
CWE-611  (opens in a new tab)

How to fix?

Upgrade Chainguard apicurio-registry to version 3.0.7-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream apicurio-registry package and not the apicurio-registry package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

CVSS Base Scores

version 3.1