AIKIDO-2025-10917
jasperreports is vulnerable to Deserialization of Untrusted Data
87
High Risk
This Affects:
jasperreportsTL;DR
CVE-2025-10492 is a deserialization of untrusted data vulnerability in JasperReports Library. The JRLoader class can deserialize attacker-controlled objects, which allows arbitrary code execution if a malicious serialized payload is processed. You are safe when your application only uses trusted, prepackaged report templates or when you run a recent commercial/enterprise edition, as those versions include vendor-provided patches. You are also safe when JasperReports runs on Java 17 or later, because modern Java versions block deserialization of arbitrary classes by default, preventing the malicious gadget chain.
Who does this affect?
You are affected when your application loads report templates (.jrxml or .jasper) from untrusted or user-supplied sources, or when external input can influence what JasperReports deserializes — for example through upload features, dynamic template loading, or accepting serialized report data. You are not affected when your application runs on Java 17 or later.
Background info
jasperreports is vulnerable to Deserialization of Untrusted Data in versions 1.0.0 - 7.0.3.
How to fix this
Mitigation consists of strictly using trusted templates, disabling user uploads or external template loading, segmenting the reporting component on the network, and ensuring that no untrusted serialized data reaches JRLoader. Or upgrade to Java 17 or later.
Links
community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/community.jaspersoft.com/forums/topic/69926-cve-2025-10492-%E2%80%93-no-fix-available-after-jasperreports-upgrade-community-edition
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant