CVE-2025-10492 (GCVE-0-2025-10492)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:41 – Updated: 2025-10-14 04:49
VLAI?
Summary
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Jaspersoft | JasperReports Library Community Edition |
Affected:
0 , ≤ 7.0.3
(maven)
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:30.897271Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T16:15:24.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "net/sf/jasperreports/jasperreports/",
"product": "JasperReports Library Community Edition",
"repo": "https://github.com/Jaspersoft/jasperreports",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "7.0.3",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jaspersoft Studio Community Edition",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "7.0.3",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "JasperReports Server",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "9.0.0",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "JasperReports Library Professional",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jaspersoft Studio Professional",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "JasperReports IO Professional",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "JasperReports IO At-Scale",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "4.0.0",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "JasperReports Web Studio",
"vendor": "Jaspersoft",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "0",
"versionType": "Patch"
}
]
}
],
"datePublic": "2025-09-16T16:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T04:49:45.696Z",
"orgId": "db6d2600-d19b-4111-a010-f3c4ed70cd50",
"shortName": "Jaspersoft"
},
"references": [
{
"url": "https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jaspersoft Library Deserialisation Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "db6d2600-d19b-4111-a010-f3c4ed70cd50",
"assignerShortName": "Jaspersoft",
"cveId": "CVE-2025-10492",
"datePublished": "2025-09-16T16:41:44.931Z",
"dateReserved": "2025-09-15T16:26:21.449Z",
"dateUpdated": "2025-10-14T04:49:45.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-10492\",\"sourceIdentifier\":\"db6d2600-d19b-4111-a010-f3c4ed70cd50\",\"published\":\"2025-09-16T17:15:40.517\",\"lastModified\":\"2025-10-14T15:06:20.363\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"db6d2600-d19b-4111-a010-f3c4ed70cd50\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"db6d2600-d19b-4111-a010-f3c4ed70cd50\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_io:*:*:*:*:at-scale:*:*:*\",\"versionEndIncluding\":\"4.0.0\",\"matchCriteriaId\":\"EE18AC5A-0750-49DD-8C60-051E2CC4BF21\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_io:*:*:*:*:professional:*:*:*\",\"versionEndIncluding\":\"4.0.0\",\"matchCriteriaId\":\"80E88A74-1650-4F7F-8C27-1F1E4340097B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_library:*:*:*:*:community:*:*:*\",\"versionEndIncluding\":\"7.0.3\",\"matchCriteriaId\":\"F0F18644-0B89-4515-9932-9AD934F4EF44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_library:*:*:*:*:professional:*:*:*\",\"versionEndIncluding\":\"9.0.2\",\"matchCriteriaId\":\"B578C57A-08E7-48BA-AD70-0F70AC76CE1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_server:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.0.0\",\"matchCriteriaId\":\"D7395E03-A986-433C-9079-B6907D0542CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_studio:*:*:*:*:community:*:*:*\",\"versionEndIncluding\":\"7.0.3\",\"matchCriteriaId\":\"39679BD0-F934-425C-86DC-9DDB0818AE63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_studio:*:*:*:*:professional:*:*:*\",\"versionEndIncluding\":\"9.0.2\",\"matchCriteriaId\":\"546BE369-B456-42EB-B962-FC3DC131AE98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloud:jasperreports_web_studio:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.0.1\",\"matchCriteriaId\":\"79081F65-FE87-440C-B7BE-3F7D6069646B\"}]}]}],\"references\":[{\"url\":\"https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/\",\"source\":\"db6d2600-d19b-4111-a010-f3c4ed70cd50\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-16T17:29:30.897271Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-25T16:15:15.782Z\"}}], \"cna\": {\"title\": \"Jaspersoft Library Deserialisation Vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/Jaspersoft/jasperreports\", \"vendor\": \"Jaspersoft\", \"product\": \"JasperReports Library Community Edition\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"7.0.3\"}], \"packageName\": \"net/sf/jasperreports/jasperreports/\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"Jaspersoft Studio Community Edition\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"7.0.3\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"JasperReports Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"9.0.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"JasperReports Library Professional\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"9.0.2\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"Jaspersoft Studio Professional\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"9.0.2\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"JasperReports IO Professional\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"4.0.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"JasperReports IO At-Scale\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"4.0.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Jaspersoft\", \"product\": \"JasperReports Web Studio\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"Patch\", \"lessThanOrEqual\": \"3.0.1\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-09-16T16:25:00.000Z\", \"references\": [{\"url\": \"https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"db6d2600-d19b-4111-a010-f3c4ed70cd50\", \"shortName\": \"Jaspersoft\", \"dateUpdated\": \"2025-10-14T04:49:45.696Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-10492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-14T04:49:45.696Z\", \"dateReserved\": \"2025-09-15T16:26:21.449Z\", \"assignerOrgId\": \"db6d2600-d19b-4111-a010-f3c4ed70cd50\", \"datePublished\": \"2025-09-16T16:41:44.931Z\", \"assignerShortName\": \"Jaspersoft\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…