CVE-2025-10492 – A Java deserialization vulnerability in Jaspers... (How to Fix)

Q: What is the severity of CVE-2025-10492?

CVE-2025-10492 has a CVSS score of 9.8 (CRITICAL). A Java deserialization vulnerability in Jaspersoft Library allows remote attackers to execute arbitrary code by sending malicious serialized objects. This affects any system using the vulnerable library, potentially compromising entire applications and underlying servers. The high CVSS score indicates critical risk requiring immediate attention.

📋 TL;DR

A Java deserialization vulnerability in Jaspersoft Library allows remote attackers to execute arbitrary code by sending malicious serialized objects. This affects any system using the vulnerable library, potentially compromising entire applications and underlying servers. The high CVSS score indicates critical risk requiring immediate attention.

💻 Affected Systems

Products:

Jaspersoft Library
JasperReports
Applications using vulnerable Jaspersoft components

Versions: Specific versions not detailed in provided references; check vendor advisory for exact ranges

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the vulnerable library component is affected regardless of configuration

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, lateral movement across networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to steal sensitive data, disrupt services, or use the system as a foothold for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, input validation, and security controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Java deserialization vulnerabilities are commonly exploited with publicly available tools and payloads

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/

Restart Required: Yes

Instructions:

1. Monitor vendor advisory for patch release 2. Apply patch when available 3. Restart affected services 4. Verify fix implementation

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation to reject serialized objects from untrusted sources

Network Segmentation

all

Isolate affected systems from internet and restrict internal network access

🧯 If You Can't Patch

Implement web application firewall with deserialization attack detection rules
Disable or remove vulnerable components if not essential for business operations

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for Jaspersoft Library version and compare with vendor advisory

Check Version:

Check application dependency files (pom.xml, build.gradle) or use: java -jar your-application.jar --version

Verify Fix Applied:

Test with safe deserialization payloads after implementing controls

📡 Detection & Monitoring

Log Indicators:

Java deserialization errors
Unexpected class loading
Suspicious network connections from application

Network Indicators:

Inbound requests with serialized Java objects
Outbound connections to unknown IPs from application

SIEM Query:

source="application.logs" AND ("InvalidClassException" OR "Serialization" OR "ObjectInputStream")

📊 Metadata

CVE ID: CVE-2025-10492

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.26% exploit probability (48.6th percentile)

Published: September 16, 2025

Last Updated: February 10, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10492, you might also want to check these: