diff --git a/gradle-8.yaml b/gradle-8.yaml
index c9d18a756f7..0f2cba0aab3 100644
--- a/gradle-8.yaml
+++ b/gradle-8.yaml
@@ -3,7 +3,7 @@ package:
   version: "8.14.1"
   # For version upgrades check whether patches are still needed.
   # Upstream changes are being tracked in https://github.com/gradle/gradle/issues/25945
-  epoch: 0
+  epoch: 1
   description: A Java project management and project comprehension tool.
   copyright:
     - license: Apache-2.0
@@ -40,7 +40,7 @@ pipeline:
 
   - uses: patch
     with:
-      patches: upgrade-deps.patch
+      patches: upgrade-deps.patch fix-CVE-2025-4949.patch
 
   - runs: |
       export JAVA_HOME=/usr/lib/jvm/java-17-openjdk
diff --git a/gradle-8/fix-CVE-2025-4949.patch b/gradle-8/fix-CVE-2025-4949.patch
new file mode 100644
index 00000000000..06517b761eb
--- /dev/null
+++ b/gradle-8/fix-CVE-2025-4949.patch
@@ -0,0 +1,41 @@
+From 46ec6ee22ad0307ec435b5e37d39a47b3d4f0a04 Mon Sep 17 00:00:00 2001
+From: Kyle Steere <kyle.steere@chainguard.dev>
+Date: Tue, 27 May 2025 13:10:11 -0500
+Subject: [PATCH] fix CVE-2025-4949 by upgrading to jgit 6.10.1.202505221210-r
+
+Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev>
+---
+ build-logic-commons/build-platform/build.gradle.kts   | 2 +-
+ packaging/distributions-dependencies/build.gradle.kts | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/build-logic-commons/build-platform/build.gradle.kts b/build-logic-commons/build-platform/build.gradle.kts
+index 8eca912a8be..764b5d10c41 100644
+--- a/build-logic-commons/build-platform/build.gradle.kts
++++ b/build-logic-commons/build-platform/build.gradle.kts
+@@ -75,7 +75,7 @@ dependencies {
+         api("org.codehaus.groovy:groovy:$groovyVersion")
+         api("org.codehaus.groovy.modules.http-builder:http-builder:0.7.2") // TODO maybe change group name when upgrading to Groovy 4
+         api("org.codenarc:CodeNarc:$codenarcVersion")
+-        api("org.eclipse.jgit:org.eclipse.jgit:5.13.3.202401111512-r")
++        api("org.eclipse.jgit:org.eclipse.jgit:6.10.1.202505221210-r")
+         api("org.javassist:javassist:3.30.2-GA")
+         api("org.jetbrains.kotlinx:kotlinx-metadata-jvm:0.9.0")
+         api("org.jsoup:jsoup:1.15.3")
+diff --git a/packaging/distributions-dependencies/build.gradle.kts b/packaging/distributions-dependencies/build.gradle.kts
+index aa8d03e3d75..7c2880b76ae 100644
+--- a/packaging/distributions-dependencies/build.gradle.kts
++++ b/packaging/distributions-dependencies/build.gradle.kts
+@@ -120,8 +120,8 @@ dependencies {
+         api(libs.jclToSlf4j)            { version { strictly(slf4jVersion) }}
+         api(libs.jcommander)            { version { strictly("1.78") }}
+         api(libs.jetbrainsAnnotations)  { version { strictly("24.0.1") }}
+-        api(libs.jgit)                  { version { strictly("5.13.3.202401111512-r"); because("6.x requires Java 11") }}
+-        api(libs.jgitSsh)               { version { strictly("5.13.3.202401111512-r") }}
++        api(libs.jgit)                  { version { strictly("6.10.1.202505221210-r"); because("6.x requires Java 11") }}
++        api(libs.jgitSsh)               { version { strictly("6.10.1.202505221210-r") }}
+         api(libs.joda)                  { version { strictly("2.12.2") }}
+         api(libs.joptSimple)            { version { strictly("5.0.4"); because("needed to create profiler in Gradle profiler API") }}
+         api(libs.jsch)                  { version { strictly("0.2.16") }}
+--
+2.43.0