[CVE-2025-10492] CWE-502: Deserialization of Untrusted Data, Jasper 6/7

[mastergenny41-collab]

Hi, is there any action to fix the following CVE?

[CVE-2025-10492] CWE-502: Deserialization of Untrusted Data

Kind Regards
M. Gentzsch

[teodord]

Hi!

Thanks for reaching out. We take security seriously and have already released a fix in our commercial edition. For the community edition we haven’t determined a release date at this time.

Thank you,
Teodor

[patmar74]

Hi @teodord,
Can you provide some details on how to reproduce the vulnerability so that the community can fix it for themselves? Or at the very least identify if the issue truly impacts their usage? Any information that you can provide would be greatly appreciated.

[tbroyer]

It looks to me like this is well-known Java deserialization without an allow-list: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#java

Specifically in ContextClassLoaderObjectInputStream, through JRLoader, used to load compiled Jasper templates.

There might be other similar cases though, but I finally got some "details" from JasperSoft that this is linked to uploads of a malicious resource, so (hopefully) if you're using the library with an immutable set of reports you should be safe 🤞

@teodord It's been nearly 2 weeks with absolutely zero communication allowing the community to assess the risks for their projects, and inviting forcing them to "upgrade" to the commercial version 🤑 This is irresponsible behavior, betrayal of your open source history, and a clear nail in the coffin of your open source community.
Be sure that people who were still using Jasper Server Community and envisioned going to Commercial are currently investigating alternatives.
Of course it is your right to go full on proprietary/commercial, and the LGPL doesn't bind you to even answer here; but when you have already done the vuln analysis (and even came with a fix), it's unethical to embargo the slightest information that would allow the open source community to at least assess the risks.

[teodord]

The description of the CVE-2025-10492 vulnerability mentions a "Java deserialization vulnerability". This vulnerability exists in the Java platform for many years and has been addressed in newer versions of Java such as Java 17. It allows executing arbitrary code when a malicious class is deserialized through the Java deserialization mechanism.

The JasperReports Library uses Java deserialization to load report templates from *.jasper files.
This means an attacker could craft a malicious *.jasper file and have it loaded by the application that uses JasperReports for generating reports. The malicious *.jasper file could be a main report template or could be a subreport template loaded from a remote URL to which the subreport expression points to.

Applications using JasperReports Library which run a set of predefined reports (canned reports) are not vulnerable because they load only trusted *.jasper files, most likely from the local application deployment. They do not offer the possibility to load report templates from outside and thus there is no way for an attacker to make use of the vulnerability.

But Java applications embedding JasperReports that allows users to run their own JRXML report templates or their own compiled *.jasper report templates are vulnerable because an attacker could bring in a malicious *.jasper file or have it loaded from a remote URL, thus being able to execute arbitrary code in the targeted Java application.

One way to prevent such an attack would be to make sure the parent Java application runs on Java 17 or later, where this type of attack is blocked by some changes made to the Java platform itself.

A fix for the JasperReports Library deserialization mechanism would benefit use cases where older versions of Java are used.

I hope this helps.
Teodor

[tbroyer]

Thank you for those details 👍

[ArpanC25]

Hi.. Any updates on when this fix will be available for community editions?

[cs-RobVanLooveren]

any updates on this?
is there a possibility of creating a patch version for version 6 of jasper reports

[kujen5]

Hello, any updates on this? Could we even at least get a proof of concept so we could patch it ourselves? Thanks.

[ctmay4]

We take security seriously and have already released a fix in our commercial edition. For the community edition we haven’t determined a release date at this time.

This was reported over a month ago and it still isn't fixed in the community edition. I understand the commercial version is the priority but any update on timeline for the community edition?

[teodord]

I want to mention again the fact that applications embedding JasperReports Library are not vulnerable to the CVE-2025-10492 if at least one of the following conditions are met:

1. the applications runs on Java 17 or later
2. the application runs only predefined report templates and users do not have any possibility to run reports that they bring to the applications themselves

These two conditions are so wide-spread (especially 2) that it significantly lowers the pressure to apply a fix for the issue.

[DManstrator]

I can understand that the circumstances lower the pressure but you mentioned that you already have a fix for it. And since this vulnerability was reported over a month ago, I can't understand why this fix was not brought to the community edition yet.

There is also [CVE-2025-48734] CWE-284: Improper Access Control which the current version of Jasper 7 provides / is affected by. This was even already fixed with 2401b3e.

I hope that you will consider providing the fix and releasing a new version in the foreseeable future.

[rfc-st]

Hi, @teodord

First of all, thank you for responding to this issue and keeping it open; it is much appreciated.

With all humility: Is there any kind of block, embargo, or limitation preventing this vulnerability from being fixed in the community edition?: it has been 46 days since the CVE was published.

I understand that it needed to be fixed first in the commercial edition, but why is the community edition still vulnerable today?.

Is it a resource issue, a business decision, or perhaps the CVE has not been escalated to Jaspersoft with the required urgency?.

Regards,

[jishah12]

Please refer the update from the team - https://community.jaspersoft.com/knowledgebase/faq/update-details-about-the-java-vulnerability-r4897/