CVE-2025-10492

CRITICAL

Cloud Jasperreports IO < 4.0.0 - Insecure Deserialization

Title source: rule

Description

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

Exploits (2)

github SCANNER 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-10492

View Code ZIP pw:eip

nomisec STUB

by dovezp · poc

https://github.com/dovezp/CVE-2025-10492-POC

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/

[Various Sources] https://community.jaspersoft.com/forums/topic/69926-cve-2025-10492-%E2%80%93-no-fix-available-after-jasperreports-upgrade-community-edition

Scores

CVSS v3 9.8

EPSS 0.0052

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (8)

cloud/jasperreports_io < 4.0.0 (2 CPE variants)

cloud/jasperreports_library < 7.0.3

cloud/jasperreports_library < 9.0.2

cloud/jasperreports_server < 9.0.0

cloud/jasperreports_studio < 7.0.3

cloud/jasperreports_studio < 9.0.2

cloud/jasperreports_web_studio < 3.0.1

net.sf.jasperreports/jasperreports 0Maven

Published Sep 16, 2025

Tracked Since Feb 18, 2026