{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10492", "assignerOrgId": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "state": "PUBLISHED", "assignerShortName": "Jaspersoft", "dateReserved": "2025-09-15T16:26:21.449Z", "datePublished": "2025-09-16T16:41:44.931Z", "dateUpdated": "2026-02-10T18:12:20.433Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "net/sf/jasperreports/jasperreports/", "product": "JasperReports Library Community Edition", "repo": "https://github.com/Jaspersoft/jasperreports", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "7.0.3", "status": "affected", "version": "0", "versionType": "maven"}]}, {"defaultStatus": "unaffected", "product": "Jaspersoft Studio Community Edition", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "7.0.3", "status": "affected", "version": "0", "versionType": "Patch"}]}, {"defaultStatus": "unaffected", "product": "JasperReports Server", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "9.0.0", "status": "affected", "version": "0", "versionType": "Patch"}]}, {"defaultStatus": "unaffected", "product": "JasperReports Library Professional", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "9.0.2", "status": "affected", "version": "0", "versionType": "Patch"}]}, {"defaultStatus": "unaffected", "product": "Jaspersoft Studio Professional", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "9.0.2", "status": "affected", "version": "0", "versionType": "Patch"}]}, {"defaultStatus": "unaffected", "product": "JasperReports IO Professional", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "4.0.0", "status": "affected", "version": "0", "versionType": "Patch"}]}, {"defaultStatus": "unaffected", "product": "JasperReports IO At-Scale", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "4.0.0", "status": "affected", "version": "0", "versionType": "Patch"}]}, {"defaultStatus": "unaffected", "product": "JasperReports Web Studio", "vendor": "Jaspersoft", "versions": [{"lessThanOrEqual": "3.0.1", "status": "affected", "version": "0", "versionType": "Patch"}]}], "datePublic": "2025-09-16T16:25:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library</span><br>"}], "value": "A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "shortName": "Jaspersoft", "dateUpdated": "2025-10-14T04:49:45.696Z"}, "references": [{"url": "https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/"}], "source": {"discovery": "UNKNOWN"}, "title": "Jaspersoft Library Deserialisation Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-16T17:29:30.897271Z", "id": "CVE-2025-10492", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T16:15:24.178Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T18:12:20.433Z"}, "references": [{"url": "https://community.jaspersoft.com/forums/topic/69926-cve-2025-10492-%E2%80%93-no-fix-available-after-jasperreports-upgrade-community-edition"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-16T17:29:30.897271Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T16:15:15.782Z"}}], "cna": {"title": "Jaspersoft Library Deserialisation Vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/Jaspersoft/jasperreports", "vendor": "Jaspersoft", "product": "JasperReports Library Community Edition", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "7.0.3"}], "packageName": "net/sf/jasperreports/jasperreports/", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "Jaspersoft Studio Community Edition", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "7.0.3"}], "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "JasperReports Server", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "9.0.0"}], "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "JasperReports Library Professional", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "9.0.2"}], "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "Jaspersoft Studio Professional", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "9.0.2"}], "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "JasperReports IO Professional", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "4.0.0"}], "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "JasperReports IO At-Scale", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "4.0.0"}], "defaultStatus": "unaffected"}, {"vendor": "Jaspersoft", "product": "JasperReports Web Studio", "versions": [{"status": "affected", "version": "0", "versionType": "Patch", "lessThanOrEqual": "3.0.1"}], "defaultStatus": "unaffected"}], "datePublic": "2025-09-16T16:25:00.000Z", "references": [{"url": "https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "shortName": "Jaspersoft", "dateUpdated": "2025-10-14T04:49:45.696Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10492", "state": "PUBLISHED", "dateUpdated": "2025-10-14T04:49:45.696Z", "dateReserved": "2025-09-15T16:26:21.449Z", "assignerOrgId": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "datePublished": "2025-09-16T16:41:44.931Z", "assignerShortName": "Jaspersoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloud:jasperreports_io:*:*:*:*:at-scale:*:*:*", "matchCriteriaId": "EE18AC5A-0750-49DD-8C60-051E2CC4BF21", "versionEndIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_io:*:*:*:*:professional:*:*:*", "matchCriteriaId": "80E88A74-1650-4F7F-8C27-1F1E4340097B", "versionEndIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_library:*:*:*:*:community:*:*:*", "matchCriteriaId": "F0F18644-0B89-4515-9932-9AD934F4EF44", "versionEndIncluding": "7.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_library:*:*:*:*:professional:*:*:*", "matchCriteriaId": "B578C57A-08E7-48BA-AD70-0F70AC76CE1E", "versionEndIncluding": "9.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7395E03-A986-433C-9079-B6907D0542CA", "versionEndIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_studio:*:*:*:*:community:*:*:*", "matchCriteriaId": "39679BD0-F934-425C-86DC-9DDB0818AE63", "versionEndIncluding": "7.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_studio:*:*:*:*:professional:*:*:*", "matchCriteriaId": "546BE369-B456-42EB-B962-FC3DC131AE98", "versionEndIncluding": "9.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:cloud:jasperreports_web_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "79081F65-FE87-440C-B7BE-3F7D6069646B", "versionEndIncluding": "3.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library"}], "id": "CVE-2025-10492", "lastModified": "2026-02-10T19:15:49.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "type": "Secondary"}]}, "published": "2025-09-16T17:15:40.517", "references": [{"source": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "tags": ["Vendor Advisory"], "url": "https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://community.jaspersoft.com/forums/topic/69926-cve-2025-10492-%E2%80%93-no-fix-available-after-jasperreports-upgrade-community-edition"}], "sourceIdentifier": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "db6d2600-d19b-4111-a010-f3c4ed70cd50", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"created": "2025-09-17T10:52:05.912049+00:00", "updated": "2025-09-17T10:52:05.912111+00:00", "vendors": ["jaspersoft", "jaspersoft$PRODUCT$jasperreports"]}