Security Advisory: CVE-2025-10492 – Jaspersoft Library Deserialisation Vulnerability

Date Published: 2026-01-12

CVE Reference: CVE-2025-10492 

Component: Jaspersoft JasperReports Library

Affected: Jaspersoft JasperReports Library (various editions)

Not Affected: Skyve Platform

Summary

CVE-2025-10492 describes a Java deserialization vulnerability in the JasperReports Library. Improper handling of externally supplied data may allow a remote attacker to execute arbitrary code on systems that use the affected library.

Vendor advisories confirm that this flaw exists in multiple JasperReports artifacts (Library, Server, Studio, IO) across both community and commercial editions, with a fix released for the commercial edition and a community fix pending. 

Skyve Impact

After review, we confirm:

  • Skyve is not vulnerable to CVE-2025-10492 as deployed in Skyve applications.

Why Skyve Is Not Affected

  1. Trusted .jasper Loading Only

    Skyve exclusively loads pre-compiled .jasper report files from its local trusted repository; it does not load or deserialise arbitrary report definitions from external or untrusted sources.

  2. No Remote Deserialisation

    Skyve does not deserialise remote data or Java object streams outside controlled local caches. There is no mechanism in Skyve that would permit untrusted serialised content to trigger this class of vulnerability.

Because exploitation of this CVE relies on loading crafted deserialization content into the JasperReports engine, and Skyve’s pattern of trusted local report usage prevents that scenario, Skyve installations are not exposed.

Details / Affected Software

CVE-2025-10492 affects multiple JasperReports components where untrusted serialised data could be loaded, including but not limited to:

  • JasperReports Library (Community & Professional)

  • JasperReports Server

  • JasperReports Studio

  • JasperReports IO editions (versions up through the last known community releases without a full patch)

If an application allows user-supplied JRXML or .jasper templates (e.g. by uploading or referencing them from remote URLs), it may be at risk.

The vulnerability has been given high/critical severity scores (e.g. CVSS 9.8 on NVD and high ratings from vendor data), reflecting the potential for remote code execution when exploited in a vulnerable context.

Recommended Actions (for Affected Systems)

Although Skyve itself isn’t affected, applications using JasperReports directly should take action if they include vulnerable versions of the library:

  • Apply Vendor Fixes / Upgrades

    Upgrade to JasperReports versions that include the official patch. At the time of disclosure, a fix has been released for the commercial edition, and a patch for the community edition is anticipated. 

  • Limit Template Sources

    Do not accept or load user-provided report templates unless they have been validated and trusted.

  • Runtime Controls

    Restrict deserialisation to specific contexts, and prefer running on recent JVM versions with hardened deserialisation protections where practical.

Skyve Platform Roadmap

Although Skyve is not vulnerable to CVE-2025-10492 under current operating conditions, we will update our bundled JasperReports dependencies to the next community release that includes the upstream fix as soon as it is available to ensure alignment with upstream security hardening.

Need Help?

If you’re unsure about your deployment or want to verify that you are not exposing a Skyve-integrated JasperReports instance to risk, please contact the Skyve team via GitHub, Slack, or your usual support channel.

Ben PetitosecurityComment