CVE-2025-10492 CRITICAL

Published: 2025-09-16 | Last Modified: 2026-02-10 | Status: Modified

Description

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

CVSS Metrics

Base Score: 9.8 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.9

Base Score: 8.7 (HIGH)

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector	NETWORK
Attack Complexity	LOW
Attack Requirements	NONE
Privileges Required	LOW
User Interaction	NONE
Vulnerability Confidentiality	HIGH
Vulnerability Integrity	HIGH
Vulnerability Availability	HIGH
Subsequent Confidentiality	NONE
Subsequent Integrity	NONE
Subsequent Availability	NONE

Source: db6d2600-d19b-4111-a010-f3c4ed70cd50

Type: Secondary

Weaknesses

Source	Type	Description
db6d2600-d19b-4111-a010-f3c4ed70cd50	Secondary	en CWE-502
134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	en CWE-502

Affected Products

Vendor	Product	Version	Update	Type
cloud	jasperreports_io	*	<built-in method update of dict object at 0x72a9cd0c14c0>	Application
cloud	jasperreports_io	*	<built-in method update of dict object at 0x72a9b0db56c0>	Application
cloud	jasperreports_library	*	<built-in method update of dict object at 0x72a9b0db5e40>	Application
cloud	jasperreports_library	*	<built-in method update of dict object at 0x72a9cc627400>	Application
cloud	jasperreports_server	*	<built-in method update of dict object at 0x72a9cd0c1940>	Application
cloud	jasperreports_studio	*	<built-in method update of dict object at 0x72a9cd0c0440>	Application
cloud	jasperreports_studio	*	<built-in method update of dict object at 0x72a9cd0c2e40>	Application
cloud	jasperreports_web_studio	*	<built-in method update of dict object at 0x72a9b0db4780>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:cloud:jasperreports_io:::::at-scale:::*`
Yes	`cpe:2.3:a:cloud:jasperreports_io:::::professional:::*`
Yes	`cpe:2.3:a:cloud:jasperreports_library:::::community:::*`
Yes	`cpe:2.3:a:cloud:jasperreports_library:::::professional:::*`
Yes	`cpe:2.3:a:cloud:jasperreports_server::::::::`
Yes	`cpe:2.3:a:cloud:jasperreports_studio:::::community:::*`
Yes	`cpe:2.3:a:cloud:jasperreports_studio:::::professional:::*`
Yes	`cpe:2.3:a:cloud:jasperreports_web_studio::::::::`

References

https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/
Source: db6d2600-d19b-4111-a010-f3c4ed70cd50

Vendor Advisory
https://community.jaspersoft.com/forums/topic/69926-cve-2025-10492-%E2%80%93-no-fix-available-after-jasperreports-upgrade-community-edition
Source: af854a3a-2127-422b-91ae-364da2661108