High severityNVD Advisory· Published Sep 16, 2025· Updated Feb 10, 2026
Jaspersoft Library Deserialisation Vulnerability
CVE-2025-10492
Description
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Java deserialization vulnerability in Jaspersoft Library allows remote code execution via improper handling of untrusted data.
Vulnerability
Overview
CVE-2025-10492 is a Java deserialization vulnerability in the Jaspersoft Library (JasperReports). The root cause is improper handling of externally supplied data during deserialization, which can lead to arbitrary code execution. The issue affects both JasperReports Library 6.x and 7.x versions, as confirmed by the vendor's advisory [1][4].
Exploitation
An attacker can exploit this vulnerability by supplying a crafted serialized object to an application that uses the affected library. No authentication is required if the deserialization endpoint is exposed. The attack surface includes any system that processes untrusted serialized data through the JasperReports Library, such as report generation or template loading [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary code remotely on the target system. This could lead to full compromise can lead to data theft, service disruption, or further lateral movement within the network. The vulnerability is classified as critical due to the potential for remote code execution potential [3].
Mitigation
The vendor has released a fix in commit 827c2f27c4ca8e2c5b3142d76df9c1c8575f3569, which adds a class filter to restrict deserialization to a whitelist of allowed classes [2]. Users should upgrade to the patched version immediately. For versions that cannot be upgraded, the vendor recommends enabling the class filter via the net.sf.jasperreports.report.class.filter.enabled property [2][4].
References
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.sf.jasperreports:jasperreportsMaven | < 7.0.4 | 7.0.4 |
Affected products
9- Jaspersoft/JasperReports IO At-Scalev5Range: 0
- Jaspersoft/JasperReports IO Professionalv5Range: 0
- Jaspersoft/JasperReports Library Community Editionv5Range: 0
- Jaspersoft/JasperReports Library Professionalv5Range: 0
- Jaspersoft/JasperReports Serverv5Range: 0
- Jaspersoft/JasperReports Web Studiov5Range: 0
- Jaspersoft/Jaspersoft Studio Community Editionv5Range: 0
- Jaspersoft/Jaspersoft Studio Professionalv5Range: 0
Patches
23541a3e2b1adadd more classes to deserialization whitelist
1 file changed · +1 −2
core/src/main/resources/default.jasperreports.properties+1 −2 modified@@ -429,8 +429,7 @@ net.sf.jasperreports.deserialization.class.whitelist.jasperreports.core=\ net.sf.jasperreports.engine.analytics.dataset.BucketOrder,\ net.sf.jasperreports.engine.analytics.dataset.Base*,\ net.sf.jasperreports.engine.analytics.dataset.DataAxis,\ - net.sf.jasperreports.engine.base.BaseDatasetPropertyExpression,\ - net.sf.jasperreports.engine.base.BasePrintBookmark,\ + net.sf.jasperreports.engine.base.Base*,\ net.sf.jasperreports.engine.base.ElementsBlock,\ net.sf.jasperreports.engine.base.JRBase*,\ net.sf.jasperreports.engine.base.JRVirtualPrintPage,\
827c2f27c4caadd deserialization class filter
19 files changed · +855 −219
core/config.reference.xml+52 −0 modified@@ -5851,6 +5851,58 @@ flag needs to be set in order for the whitelist to apply. </configProperty> + <!-- net.sf.jasperreports.deserialization.class.filter.enabled --> + + <configProperty name="net.sf.jasperreports.deserialization.class.filter.enabled"> + <description> +Flag to enable filtering of classes that can be used in serialized objects such as compiled report templates or generated reports. +<br/> +The list of allowed classes is configured via +<a href="#net.sf.jasperreports.deserialization.class.whitelist.{arbitrary_name}">net.sf.jasperreports.deserialization.class.whitelist.{arbitrary_name}</a> +properties. + </description> + </configProperty> + + + <!-- net.sf.jasperreports.deserialization.class.whitelist.{arbitrary_name} --> + + <configProperty name="net.sf.jasperreports.deserialization.class.whitelist.{arbitrary_name}"> + <description> +Defines a list of classes that are allowed in serialized objects such as compiled report templates or generated reports. +<br/> +The property value should be a comma separated list of class names. Wildcards are supported in class names: +<ul> + <li><code>*</code> stands for any class/package name or part of a class/package name, e.g. + <ul> + <li><code>net.sf.jasperreports.*</code> means any class in the <code>net.sf.jasperreports</code> package (but not in subpackages)</li> + <li><code>net.sf.jasperreports.*Enum</code> means any class in the <code>net.sf.jasperreports</code> package that ends in <code>Enum</code></li> + </ul> + </li> + <li><code>**</code> stands for any fully qualified class name or part of a fully qualified class name, e.g. + <ul> + <li><code>net.sf.jasperreports.**</code> means any class in the <code>net.sf.jasperreports</code> package or in a subpackage</li> + <li><code>net.sf.jasperreports.**Enum</code> means any class that ends in <code>Enum</code> in the <code>net.sf.jasperreports</code> package or in a subpackage</li> + <li><code>**</code> means any class (note that for performance reasons instead of whitelisting all classes it's better to unset the <code>net.sf.jasperreports.deserialization.class.filter.enabled</code> flag)</li> + </ul> + </li> +</ul> +<br/> +The <a href="#net.sf.jasperreports.deserialization.class.filter.enabled">net.sf.jasperreports.deserialization.class.filter.enabled</a> +flag needs to be set in order for the whitelist to apply. + </description> + </configProperty> + + + <!-- net.sf.jasperreports.deserialization.byte.count.limit --> + + <configProperty name="net.sf.jasperreports.deserialization.byte.count.limit"> + <description> +This property specifies the maximum number of bytes that can be read from a stream when deserializing objects such as compiled report templates or generated reports. +When not set, there is no limit. + </description> + </configProperty> + + <!-- net.sf.jasperreports.legacy.compiler.source.included.parameters --> <configProperty name="net.sf.jasperreports.legacy.compiler.source.included.parameters">
core/src/main/java/net/sf/jasperreports/compilers/ReportClassFilter.java+25 −109 modified@@ -23,36 +23,27 @@ */ package net.sf.jasperreports.compilers; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.concurrent.ConcurrentHashMap; - import net.sf.jasperreports.annotations.properties.Property; import net.sf.jasperreports.annotations.properties.PropertyScope; import net.sf.jasperreports.engine.JRPropertiesUtil; -import net.sf.jasperreports.engine.JRPropertiesUtil.PropertySuffix; -import net.sf.jasperreports.engine.JRRuntimeException; import net.sf.jasperreports.engine.JasperReportsContext; -import net.sf.jasperreports.engine.util.ClassLoaderFilter; -import net.sf.jasperreports.functions.FunctionsBundle; -import net.sf.jasperreports.functions.FunctionsUtil; +import net.sf.jasperreports.engine.util.AbstractClassFilter; +import net.sf.jasperreports.engine.util.StandardClassWhitelist; import net.sf.jasperreports.properties.PropertyConstants; /** * @author Lucian Chirita (lucianc@users.sourceforge.net) */ -public class ReportClassFilter implements ClassLoaderFilter +public class ReportClassFilter extends AbstractClassFilter { - @Property( category = PropertyConstants.CATEGORY_FILL, defaultValue = "false", scopes = {PropertyScope.CONTEXT}, sinceVersion = PropertyConstants.VERSION_6_13_0, valueType = Boolean.class ) - public static final String PROPERTY_PREFIX_CLASS_FILTER_ENABLED = + public static final String PROPERTY_CLASS_FILTER_ENABLED = JRPropertiesUtil.PROPERTY_PREFIX + "report.class.filter.enabled"; @Property( @@ -65,8 +56,27 @@ public class ReportClassFilter implements ClassLoaderFilter JRPropertiesUtil.PROPERTY_PREFIX + "report.class.whitelist."; public static final String EXCEPTION_MESSAGE_KEY_CLASS_NOT_VISIBLE = "compilers.class.not.visible"; + + @Override + protected String getClassFilterEnabledPropertyName() + { + return PROPERTY_CLASS_FILTER_ENABLED; + } + + @Override + protected String getClassWhitelistPropertyPrefix() + { + return PROPERTY_PREFIX_CLASS_WHITELIST; + } + + @Override + protected String getClassNotVisibleExceptionMessageKey() + { + return EXCEPTION_MESSAGE_KEY_CLASS_NOT_VISIBLE; + } - private static void addHardcodedWhitelist(StandardReportClassWhitelist whitelist) + @Override + protected void addHardcodedWhitelist(StandardClassWhitelist whitelist) { whitelist.addClass("java.lang.Boolean"); whitelist.addClass("java.lang.String"); @@ -82,103 +92,9 @@ private static void addHardcodedWhitelist(StandardReportClassWhitelist whitelist whitelist.addClass("java.lang.Math"); } - private boolean filterEnabled; - private List<ReportClassWhitelist> whitelists; - - private Map<String, Boolean> visibilityCache = new ConcurrentHashMap<>(); - public ReportClassFilter(JasperReportsContext jasperReportsContext) { - JRPropertiesUtil properties = JRPropertiesUtil.getInstance(jasperReportsContext); - filterEnabled = properties.getBooleanProperty(PROPERTY_PREFIX_CLASS_FILTER_ENABLED); - if (filterEnabled) - { - whitelists = new ArrayList<>(); - - StandardReportClassWhitelist whitelist = new StandardReportClassWhitelist(); - addHardcodedWhitelist(whitelist); - loadPropertiesWhitelist(properties, whitelist); - loadFunctionsWhitelist(jasperReportsContext, whitelist); - whitelists.add(whitelist); - - List<ReportClassWhitelist> extensionWhitelists = jasperReportsContext.getExtensions( - ReportClassWhitelist.class); - whitelists.addAll(extensionWhitelists); - } - } - - private static void loadPropertiesWhitelist(JRPropertiesUtil propertiesUtil, - StandardReportClassWhitelist whitelist) - { - List<PropertySuffix> properties = propertiesUtil.getProperties(PROPERTY_PREFIX_CLASS_WHITELIST); - for (PropertySuffix propertySuffix : properties) - { - String whitelistString = propertySuffix.getValue(); - whitelist.addWhitelist(whitelistString); - } - } - - private static void loadFunctionsWhitelist(JasperReportsContext jasperReportsContext, - StandardReportClassWhitelist whitelist) - { - FunctionsUtil functionsUtil = FunctionsUtil.getInstance(jasperReportsContext); - List<FunctionsBundle> functionBundles = functionsUtil.getAllFunctionBundles(); - for (FunctionsBundle functionsBundle : functionBundles) - { - List<Class<?>> functionClasses = functionsBundle.getFunctionClasses(); - for (Class<?> functionClass : functionClasses) - { - whitelist.addClass(functionClass.getName()); - } - } - } - - public boolean isFilteringEnabled() - { - return filterEnabled; - } - - @Override - public void checkClassVisibility(String className) throws JRRuntimeException - { - boolean visible = isClassVisible(className); - if (!visible) - { - throw new JRRuntimeException(EXCEPTION_MESSAGE_KEY_CLASS_NOT_VISIBLE, new Object[] {className}); - } - } - - public boolean isClassVisible(String className) - { - Boolean visible = visibilityCache.get(className); - if (visible == null) - { - visible = visible(className); - visibilityCache.put(className, visible); - } - return visible; - } - - protected boolean visible(String className) - { - boolean visible; - if (filterEnabled) - { - visible = false; - for (ReportClassWhitelist whitelist : whitelists) - { - if (whitelist.includesClass(className)) - { - visible = true; - break; - } - } - } - else - { - visible = true; - } - return visible; + super(jasperReportsContext); } }
core/src/main/java/net/sf/jasperreports/compilers/StandardReportClassWhitelist.java+2 −107 modified@@ -23,116 +23,11 @@ */ package net.sf.jasperreports.compilers; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import java.util.regex.Matcher; -import java.util.regex.Pattern; +import net.sf.jasperreports.engine.util.StandardClassWhitelist; /** * @author Lucian Chirita (lucianc@users.sourceforge.net) */ -public class StandardReportClassWhitelist implements ReportClassWhitelist +public class StandardReportClassWhitelist extends StandardClassWhitelist implements ReportClassWhitelist { - - public static final String WHITELIST_SEPARATOR = ","; - - private static final String WHITELIST_SEPARATOR_PATTERN = Pattern.quote(WHITELIST_SEPARATOR); - - private static final char WILDCARD = '*'; - - private static final Pattern WILDCARD_PATTERN = Pattern.compile("\\*+"); - - private Set<String> classWhitelist; - private List<Pattern> whitelistPatterns; - - public StandardReportClassWhitelist() - { - this.classWhitelist = new HashSet<>(); - this.whitelistPatterns = new ArrayList<>(); - } - - @Override - public boolean includesClass(String className) - { - if (classWhitelist.contains(className)) - { - return true; - } - - if (!whitelistPatterns.isEmpty()) - { - for (Pattern pattern : whitelistPatterns) - { - if (pattern.matcher(className).matches()) - { - return true; - } - } - } - return false; - } - - public void addClass(String className) - { - classWhitelist.add(className); - } - - public void addWhitelist(String whitelist) - { - String[] classes = whitelist.split(WHITELIST_SEPARATOR_PATTERN); - for (String whitelistClass : classes) - { - whitelistClass = whitelistClass.trim(); - if (!whitelistClass.isEmpty()) - { - if (whitelistClass.indexOf(WILDCARD) >= 0) - { - addPattern(whitelistClass); - } - classWhitelist.add(whitelistClass); - } - } - } - - protected void addPattern(String classWildcard) - { - Matcher matcher = WILDCARD_PATTERN.matcher(classWildcard); - StringBuilder patternStr = new StringBuilder(); - int prevIndex = 0; - while (matcher.find()) - { - int matchStart = matcher.start(); - int matchEnd = matcher.end(); - if (matchStart > prevIndex) - { - patternStr.append(Pattern.quote(classWildcard.substring(prevIndex, matchStart))); - } - - if (matchStart + 1 == matchEnd) - { - //single * - use class name pattern - //class names allow almost any character, see Character.isJavaIdentifierPart - //allowing anything except points to exclude packages - patternStr.append("[^\\.]*"); - } - else - { - //multiple * - use class and package pattern - patternStr.append(".*"); - } - - prevIndex = matchEnd; - } - - if (prevIndex < classWildcard.length()) - { - patternStr.append(Pattern.quote(classWildcard.substring(prevIndex, classWildcard.length()))); - } - - Pattern pattern = Pattern.compile(patternStr.toString()); - whitelistPatterns.add(pattern); - } - }
core/src/main/java/net/sf/jasperreports/engine/util/AbstractClassFilter.java+150 −0 added@@ -0,0 +1,150 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +import net.sf.jasperreports.engine.JRPropertiesUtil; +import net.sf.jasperreports.engine.JRPropertiesUtil.PropertySuffix; +import net.sf.jasperreports.engine.JRRuntimeException; +import net.sf.jasperreports.engine.JasperReportsContext; +import net.sf.jasperreports.functions.FunctionsBundle; +import net.sf.jasperreports.functions.FunctionsUtil; + +/** + * @author Lucian Chirita (lucianc@users.sourceforge.net) + */ +public abstract class AbstractClassFilter implements ClassLoaderFilter +{ + protected abstract String getClassFilterEnabledPropertyName(); + + protected abstract String getClassWhitelistPropertyPrefix(); + + protected abstract String getClassNotVisibleExceptionMessageKey(); + + protected abstract void addHardcodedWhitelist(StandardClassWhitelist whitelist); + + private boolean filterEnabled; + private List<ClassWhitelist> whitelists; + + private Map<String, Boolean> visibilityCache = new ConcurrentHashMap<>(); + + public AbstractClassFilter(JasperReportsContext jasperReportsContext) + { + JRPropertiesUtil properties = JRPropertiesUtil.getInstance(jasperReportsContext); + filterEnabled = properties.getBooleanProperty(getClassFilterEnabledPropertyName()); + if (filterEnabled) + { + whitelists = new ArrayList<>(); + + StandardClassWhitelist whitelist = new StandardClassWhitelist(); + addHardcodedWhitelist(whitelist); + loadPropertiesWhitelist(properties, whitelist); + loadFunctionsWhitelist(jasperReportsContext, whitelist); + whitelists.add(whitelist); + + List<DeserializationClassWhitelist> extensionWhitelists = jasperReportsContext.getExtensions( + DeserializationClassWhitelist.class); + whitelists.addAll(extensionWhitelists); + } + } + + private void loadPropertiesWhitelist(JRPropertiesUtil propertiesUtil, + StandardClassWhitelist whitelist) + { + List<PropertySuffix> properties = propertiesUtil.getProperties(getClassWhitelistPropertyPrefix()); + for (PropertySuffix propertySuffix : properties) + { + String whitelistString = propertySuffix.getValue(); + whitelist.addWhitelist(whitelistString); + } + } + + private static void loadFunctionsWhitelist(JasperReportsContext jasperReportsContext, + StandardClassWhitelist whitelist) + { + FunctionsUtil functionsUtil = FunctionsUtil.getInstance(jasperReportsContext); + List<FunctionsBundle> functionBundles = functionsUtil.getAllFunctionBundles(); + for (FunctionsBundle functionsBundle : functionBundles) + { + List<Class<?>> functionClasses = functionsBundle.getFunctionClasses(); + for (Class<?> functionClass : functionClasses) + { + whitelist.addClass(functionClass.getName()); + } + } + } + + public boolean isFilteringEnabled() + { + return filterEnabled; + } + + @Override + public void checkClassVisibility(String className) throws JRRuntimeException + { + boolean visible = isClassVisible(className); + if (!visible) + { + throw new JRRuntimeException(getClassNotVisibleExceptionMessageKey(), new Object[] {className}); + } + } + + public boolean isClassVisible(String className) + { + Boolean visible = visibilityCache.get(className); + if (visible == null) + { + visible = visible(className); + visibilityCache.put(className, visible); + } + return visible; + } + + protected boolean visible(String className) + { + boolean visible; + if (filterEnabled) + { + visible = false; + for (ClassWhitelist whitelist : whitelists) + { + if (whitelist.includesClass(className)) + { + visible = true; + break; + } + } + } + else + { + visible = true; + } + return visible; + } + +}
core/src/main/java/net/sf/jasperreports/engine/util/ClassWhitelist.java+34 −0 added@@ -0,0 +1,34 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +/** + * @author Lucian Chirita (lucianc@users.sourceforge.net) + */ +public interface ClassWhitelist +{ + + boolean includesClass(String className); + +}
core/src/main/java/net/sf/jasperreports/engine/util/ContextClassLoaderObjectInputStream.java+118 −1 modified@@ -24,13 +24,19 @@ package net.sf.jasperreports.engine.util; import java.awt.Font; +import java.io.FilterInputStream; import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectStreamClass; +import net.sf.jasperreports.annotations.properties.Property; +import net.sf.jasperreports.annotations.properties.PropertyScope; +import net.sf.jasperreports.engine.JRPropertiesUtil; +import net.sf.jasperreports.engine.JRRuntimeException; import net.sf.jasperreports.engine.JasperReportsContext; import net.sf.jasperreports.engine.fonts.FontUtil; +import net.sf.jasperreports.properties.PropertyConstants; /** * A subclass of {@link ObjectInputStream} that uses @@ -41,8 +47,20 @@ */ public class ContextClassLoaderObjectInputStream extends ObjectInputStream { + @Property( + category = PropertyConstants.CATEGORY_OTHER, + scopes = {PropertyScope.CONTEXT}, + sinceVersion = PropertyConstants.VERSION_7_0_4, + valueType = Long.class + ) + public static final String PROPERTY_BYTE_COUNT_LIMIT = + JRPropertiesUtil.PROPERTY_PREFIX + "deserialization.byte.count.limit"; + private final JasperReportsContext jasperReportsContext; + private DeserializationClassFilter deserializationClassFilter; + + /** * Creates an object input stream that reads data from the specified * {@link InputStream}. @@ -53,7 +71,7 @@ public class ContextClassLoaderObjectInputStream extends ObjectInputStream */ public ContextClassLoaderObjectInputStream(JasperReportsContext jasperReportsContext, InputStream in) throws IOException { - super(in); + super(wrapInputStream(jasperReportsContext, in)); this.jasperReportsContext = jasperReportsContext; @@ -65,6 +83,14 @@ public ContextClassLoaderObjectInputStream(JasperReportsContext jasperReportsCon { //FIXMEFONT we silence this for applets. but are there other similar situations that we need to deal with by signing jars? } + + this.deserializationClassFilter = new DeserializationClassFilter(jasperReportsContext); + } + + private static InputStream wrapInputStream(JasperReportsContext jasperReportsContext, InputStream is) + { + long byteCountLimit = JRPropertiesUtil.getInstance(jasperReportsContext).getLongProperty(PROPERTY_BYTE_COUNT_LIMIT, 0); + return byteCountLimit == 0 ? is : new CountInputStream(is, byteCountLimit); } /** @@ -84,6 +110,23 @@ public JasperReportsContext getJasperReportsContext() protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { + if (deserializationClassFilter.isFilteringEnabled()) + { + String className = desc.getName(); + if (className.startsWith("[")) + { + if (className.endsWith(";")) + { + className = className.substring(className.lastIndexOf("[L") + 2, className.length() - 1); + } + else + { + className = className.substring(className.lastIndexOf("[") + 1); + } + } + deserializationClassFilter.checkClassVisibility(className); + } + try { return super.resolveClass(desc); @@ -130,3 +173,77 @@ protected Object resolveObject(Object obj) throws IOException } + +class CountInputStream extends FilterInputStream +{ + public static final String EXCEPTION_MESSAGE_KEY_DESERIALIZATION_BYTE_COUNT_LIMIT_EXCEEDED = "deserialization.byte.count.limit.exceeded"; + + private long byteCount = 0; + private final long byteCountLimit; + + public CountInputStream(InputStream is, long byteCountLimit) + { + super(is); + + this.byteCountLimit = byteCountLimit; + } + + + @Override + public int read() throws IOException + { + int r = super.read(); + if (r >= 0) + { + byteCount++; + if (byteCountLimit > 0 && byteCount > byteCountLimit) + { + throw new JRRuntimeException(EXCEPTION_MESSAGE_KEY_DESERIALIZATION_BYTE_COUNT_LIMIT_EXCEEDED, new Object[] {byteCountLimit}); + } + } + return r; + } + + @Override + public int read(byte[] buf) throws IOException + { + int r = super.read(buf); + if (r >= 0) + { + byteCount += r; + if (byteCountLimit > 0 && byteCount > byteCountLimit) + { + throw new JRRuntimeException(EXCEPTION_MESSAGE_KEY_DESERIALIZATION_BYTE_COUNT_LIMIT_EXCEEDED, new Object[] {byteCountLimit}); + } + } + return r; + } + + @Override + public int read(byte[] buf, int off, int len) throws IOException + { + int r = super.read(buf, off, len); + if (r >= 0) + { + byteCount += r; + if (byteCountLimit > 0 && byteCount > byteCountLimit) + { + throw new JRRuntimeException(EXCEPTION_MESSAGE_KEY_DESERIALIZATION_BYTE_COUNT_LIMIT_EXCEEDED, new Object[] {byteCountLimit}); + } + } + return r; + } + + @Override + public long skip(long n) throws IOException + { + long r = super.skip(n); + byteCount += r; + if (byteCountLimit > 0 && byteCount > byteCountLimit) + { + throw new JRRuntimeException(EXCEPTION_MESSAGE_KEY_DESERIALIZATION_BYTE_COUNT_LIMIT_EXCEEDED, new Object[] {byteCountLimit}); + } + return r; + } + +}
core/src/main/java/net/sf/jasperreports/engine/util/DeserializationClassFilter.java+105 −0 added@@ -0,0 +1,105 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +import net.sf.jasperreports.annotations.properties.Property; +import net.sf.jasperreports.annotations.properties.PropertyScope; +import net.sf.jasperreports.engine.JRPropertiesUtil; +import net.sf.jasperreports.engine.JasperReportsContext; +import net.sf.jasperreports.properties.PropertyConstants; + +/** + * @author Teodor Danciu (teodord@users.sourceforge.net) + */ +public class DeserializationClassFilter extends AbstractClassFilter +{ + @Property( + category = PropertyConstants.CATEGORY_OTHER, + defaultValue = "true", + scopes = {PropertyScope.CONTEXT}, + sinceVersion = PropertyConstants.VERSION_7_0_4, + valueType = Boolean.class + ) + public static final String PROPERTY_CLASS_FILTER_ENABLED = + JRPropertiesUtil.PROPERTY_PREFIX + "deserialization.class.filter.enabled"; + + @Property( + category = PropertyConstants.CATEGORY_OTHER, + scopes = {PropertyScope.CONTEXT}, + sinceVersion = PropertyConstants.VERSION_7_0_4, + name = "net.sf.jasperreports.deserialization.class.whitelist.{arbitrary_name}" + ) + public static final String PROPERTY_PREFIX_CLASS_WHITELIST = + JRPropertiesUtil.PROPERTY_PREFIX + "deserialization.class.whitelist."; + + public static final String EXCEPTION_MESSAGE_KEY_CLASS_NOT_VISIBLE = "deserialization.class.not.visible"; + + @Override + protected String getClassFilterEnabledPropertyName() + { + return PROPERTY_CLASS_FILTER_ENABLED; + } + + @Override + protected String getClassWhitelistPropertyPrefix() + { + return PROPERTY_PREFIX_CLASS_WHITELIST; + } + + @Override + protected String getClassNotVisibleExceptionMessageKey() + { + return EXCEPTION_MESSAGE_KEY_CLASS_NOT_VISIBLE; + } + + @Override + protected void addHardcodedWhitelist(StandardClassWhitelist whitelist) + { + whitelist.addClass("B"); + //whitelist.addClass("C"); + whitelist.addClass("D"); + whitelist.addClass("F"); + whitelist.addClass("I"); + whitelist.addClass("J"); + whitelist.addClass("S"); + whitelist.addClass("Z"); + whitelist.addClass("java.lang.Boolean"); + whitelist.addClass("java.lang.Byte"); + whitelist.addClass("java.lang.Character"); + whitelist.addClass("java.lang.Double"); + whitelist.addClass("java.lang.Enum"); + whitelist.addClass("java.lang.Float"); + whitelist.addClass("java.lang.Integer"); + whitelist.addClass("java.lang.Long"); + whitelist.addClass("java.lang.Number"); + whitelist.addClass("java.lang.Object"); + whitelist.addClass("java.lang.Short"); + whitelist.addClass("java.lang.String"); + } + + public DeserializationClassFilter(JasperReportsContext jasperReportsContext) + { + super(jasperReportsContext); + } +}
core/src/main/java/net/sf/jasperreports/engine/util/DeserializationClassWhitelist.java+31 −0 added@@ -0,0 +1,31 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +/** + * @author Teodor Danciu (teodord@users.sourceforge.net) + */ +public interface DeserializationClassWhitelist extends ClassWhitelist +{ +}
core/src/main/java/net/sf/jasperreports/engine/util/StandardClassWhitelist.java+138 −0 added@@ -0,0 +1,138 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +/** + * @author Lucian Chirita (lucianc@users.sourceforge.net) + */ +public class StandardClassWhitelist implements ClassWhitelist +{ + + public static final String WHITELIST_SEPARATOR = ","; + + private static final String WHITELIST_SEPARATOR_PATTERN = Pattern.quote(WHITELIST_SEPARATOR); + + private static final char WILDCARD = '*'; + + private static final Pattern WILDCARD_PATTERN = Pattern.compile("\\*+"); + + private Set<String> classWhitelist; + private List<Pattern> whitelistPatterns; + + public StandardClassWhitelist() + { + this.classWhitelist = new HashSet<>(); + this.whitelistPatterns = new ArrayList<>(); + } + + @Override + public boolean includesClass(String className) + { + if (classWhitelist.contains(className)) + { + return true; + } + + if (!whitelistPatterns.isEmpty()) + { + for (Pattern pattern : whitelistPatterns) + { + if (pattern.matcher(className).matches()) + { + return true; + } + } + } + return false; + } + + public void addClass(String className) + { + classWhitelist.add(className); + } + + public void addWhitelist(String whitelist) + { + String[] classes = whitelist.split(WHITELIST_SEPARATOR_PATTERN); + for (String whitelistClass : classes) + { + whitelistClass = whitelistClass.trim(); + if (!whitelistClass.isEmpty()) + { + if (whitelistClass.indexOf(WILDCARD) >= 0) + { + addPattern(whitelistClass); + } + classWhitelist.add(whitelistClass); + } + } + } + + protected void addPattern(String classWildcard) + { + Matcher matcher = WILDCARD_PATTERN.matcher(classWildcard); + StringBuilder patternStr = new StringBuilder(); + int prevIndex = 0; + while (matcher.find()) + { + int matchStart = matcher.start(); + int matchEnd = matcher.end(); + if (matchStart > prevIndex) + { + patternStr.append(Pattern.quote(classWildcard.substring(prevIndex, matchStart))); + } + + if (matchStart + 1 == matchEnd) + { + //single * - use class name pattern + //class names allow almost any character, see Character.isJavaIdentifierPart + //allowing anything except points to exclude packages + patternStr.append("[^\\.]*"); + } + else + { + //multiple * - use class and package pattern + patternStr.append(".*"); + } + + prevIndex = matchEnd; + } + + if (prevIndex < classWildcard.length()) + { + patternStr.append(Pattern.quote(classWildcard.substring(prevIndex, classWildcard.length()))); + } + + Pattern pattern = Pattern.compile(patternStr.toString()); + whitelistPatterns.add(pattern); + } + +}
core/src/main/java/net/sf/jasperreports/engine/util/StandardDeserializationClassWhitelistExtension.java+54 −0 added@@ -0,0 +1,54 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +import java.util.List; + +import net.sf.jasperreports.engine.JRPropertiesMap; +import net.sf.jasperreports.engine.JRPropertiesUtil; +import net.sf.jasperreports.engine.JRPropertiesUtil.PropertySuffix; +import net.sf.jasperreports.extensions.ExtensionsRegistry; +import net.sf.jasperreports.extensions.ExtensionsRegistryFactory; +import net.sf.jasperreports.extensions.SingletonExtensionRegistry; + +/** + * @author Teodor Danciu (teodord@users.sourceforge.net) + */ +public class StandardDeserializationClassWhitelistExtension implements ExtensionsRegistryFactory +{ + + @Override + public ExtensionsRegistry createRegistry(String registryId, JRPropertiesMap properties) + { + StandardDeserializationClassWhitelist whitelist = new StandardDeserializationClassWhitelist(); + List<PropertySuffix> whitelistProps = JRPropertiesUtil.getProperties(properties, + DeserializationClassFilter.PROPERTY_PREFIX_CLASS_WHITELIST); + for (PropertySuffix propertySuffix : whitelistProps) + { + whitelist.addWhitelist(propertySuffix.getValue()); + } + return new SingletonExtensionRegistry<>(DeserializationClassWhitelist.class, whitelist); + } + +}
core/src/main/java/net/sf/jasperreports/engine/util/StandardDeserializationClassWhitelist.java+31 −0 added@@ -0,0 +1,31 @@ +/* + * JasperReports - Free Java Reporting Library. + * Copyright (C) 2001 - 2025 Cloud Software Group, Inc. All rights reserved. + * http://www.jaspersoft.com + * + * Unless you have purchased a commercial license agreement from Jaspersoft, + * the following license terms apply: + * + * This program is part of JasperReports. + * + * JasperReports is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * JasperReports is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with JasperReports. If not, see <http://www.gnu.org/licenses/>. + */ +package net.sf.jasperreports.engine.util; + +/** + * @author Lucian Chirita (lucianc@users.sourceforge.net) + */ +public class StandardDeserializationClassWhitelist extends StandardClassWhitelist implements DeserializationClassWhitelist +{ +}
core/src/main/resources/default.jasperreports.properties+54 −1 modified@@ -395,4 +395,57 @@ net.sf.jasperreports.report.class.whitelist.jasperreports.java=\ java.sql.Connection,\ mondrian.olap.Member,\ org.w3c.dom.Document,\ - javax.persistence.EntityManager \ No newline at end of file + javax.persistence.EntityManager + +net.sf.jasperreports.deserialization.class.filter.enabled=true +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.java=\ + java.awt.BasicStroke,java.awt.Color,java.awt.Component,java.awt.ComponentOrientation,java.awt.Container,\ + java.awt.Font,java.awt.geom.Ellipse2D,java.awt.geom.GeneralPath,java.awt.geom.Line2D,java.awt.geom.Path2D*,\ + java.awt.geom.Rectangle2D,java.awt.GradientPaint,java.awt.Polygon,java.awt.font.TextAttribute,\ + java.beans.PropertyChangeSupport,java.beans.VetoableChangeSupport,\ + java.math.BigDecimal,java.math.BigInteger,java.math.RoundingMode,java.sql.Date,java.sql.Timestamp,java.text.*Format*,java.text.AttributedCharacterIterator$Attribute,\ + java.util.ArrayList,java.util.Arrays$ArrayList,java.util.LinkedList,java.util.Calendar,java.util.Collections*,java.util.concurrent.ConcurrentHashMap*,\ + java.util.concurrent.ConcurrentSkipListMap,java.util.concurrent.locks.ReentrantLock*,java.util.concurrent.locks.AbstractQueuedSynchronizer,java.util.concurrent.locks.AbstractOwnableSynchronizer,\ + java.util.Date,java.util.GregorianCalendar,java.util.HashMap,java.util.HashSet,java.util.Hashtable,java.util.LinkedHashMap,\ + java.util.Locale,java.util.SimpleTimeZone,java.util.TimeZone,java.util.TreeMap,java.util.TreeSet,\ + java.util.UUID,javax.swing.JComponent,javax.swing.event.EventListenerList,sun.util.calendar.ZoneInfo +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.core=\ + net.sf.jasperreports.compilers.*,\ + net.sf.jasperreports.components.iconlabel.*,\ + net.sf.jasperreports.components.items.Standard*,\ + net.sf.jasperreports.components.list.BaseListContents,\ + net.sf.jasperreports.components.list.StandardListComponent,\ + net.sf.jasperreports.components.table.*,\ + net.sf.jasperreports.crosstabs.JRCrosstab*,\ + net.sf.jasperreports.crosstabs.fill.calculation.ColumnValueInfo,\ + net.sf.jasperreports.crosstabs.interactive.DataColumnInfo,\ + net.sf.jasperreports.crosstabs.interactive.RowGroupInteractiveInfo,\ + net.sf.jasperreports.crosstabs.base.JRBase*,\ + net.sf.jasperreports.crosstabs.type.Crosstab*Enum,\ + net.sf.jasperreports.customvisualization.design.CVDesignComponent,\ + net.sf.jasperreports.engine.*,\ + net.sf.jasperreports.engine.analytics.data.Axis,\ + net.sf.jasperreports.engine.analytics.dataset.BucketOrder,\ + net.sf.jasperreports.engine.analytics.dataset.Base*,\ + net.sf.jasperreports.engine.analytics.dataset.DataAxis,\ + net.sf.jasperreports.engine.base.BaseDatasetPropertyExpression,\ + net.sf.jasperreports.engine.base.BasePrintBookmark,\ + net.sf.jasperreports.engine.base.ElementsBlock,\ + net.sf.jasperreports.engine.base.JRBase*,\ + net.sf.jasperreports.engine.base.JRVirtualPrintPage,\ + net.sf.jasperreports.engine.base.StandardPrintParts,\ + net.sf.jasperreports.engine.base.VirtualizableElementList,\ + net.sf.jasperreports.engine.component.BaseComponentContext,\ + net.sf.jasperreports.engine.component.ComponentKey,\ + net.sf.jasperreports.engine.design.*,\ + net.sf.jasperreports.engine.fill.JRRecordedValuesPrintText,\ + net.sf.jasperreports.engine.fill.JRTemplate*,\ + net.sf.jasperreports.engine.fill.JRVirtualizationContext,\ + net.sf.jasperreports.engine.part.StandardPartEvaluationTime,\ + net.sf.jasperreports.engine.type.*Enum,\ + net.sf.jasperreports.engine.type.*Type,\ + net.sf.jasperreports.engine.type.HorizontalPosition,\ + net.sf.jasperreports.engine.util.Pair,\ + net.sf.jasperreports.parts.subreport.StandardSubreportPartComponent,\ + net.sf.jasperreports.renderers.*Renderer*,\ + net.sf.jasperreports.virtualization.VirtualizedFramesParentTest
core/src/main/resources/jasperreports_messages.properties+2 −0 modified@@ -463,6 +463,8 @@ net.sf.jasperreports.exception.scriptlets.variable.not.found=Variable not found: net.sf.jasperreports.exception.scriptlets.variable.value.incompatible=Incompatible value assigned to variable {0}. Expected {1}. # utility classes error messages +net.sf.jasperreports.exception.deserialization.byte.count.limit.exceeded=Deserialization byte count limit of {0} has been exceeded. +net.sf.jasperreports.exception.deserialization.class.not.visible=Class {0} is not visible to deserialization. net.sf.jasperreports.exception.util.api.writer.output.stream.write.error=Error writing to OutputStream: {0}. net.sf.jasperreports.exception.util.api.writer.file.write.error=Error writing to file: {0}. net.sf.jasperreports.exception.util.array.char.iterator.invalid.index=Invalid index {0} (start = {1}, end = {2})
demo/samples/xchartcomponent/src/jasperreports_extension.properties+6 −0 modified@@ -1,2 +1,8 @@ net.sf.jasperreports.extension.registry.factory.xchart=net.sf.jasperreports.spring.SpringExtensionsRegistryFactory net.sf.jasperreports.extension.xchart.spring.beans.resource=xchart/xchart_beans.xml + +net.sf.jasperreports.extension.registry.factory.deserialization.whitelist=net.sf.jasperreports.engine.util.StandardDeserializationClassWhitelistExtension +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.xchartcomponent=\ + xchart.CompiledXYDataset,\ + xchart.DesignXYSeries,\ + xchart.XYChartComponent
ext/barbecue/src/main/resources/jasperreports_extension.properties+7 −0 modified@@ -1 +1,8 @@ net.sf.jasperreports.extension.registry.factory.barbecue=net.sf.jasperreports.barbecue.BarbecueExtensionsRegistryFactory + +net.sf.jasperreports.extension.registry.factory.deserialization.whitelist=net.sf.jasperreports.engine.util.StandardDeserializationClassWhitelistExtension +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.barbecue=\ + net.sf.jasperreports.barbecue.BarbecueRendererImpl,\ + net.sf.jasperreports.barbecue.StandardBarbecueComponent,\ + net.sourceforge.barbecue.Barcode,\ + net.sourceforge.barbecue.**.*Barcode
ext/barcode4j/src/main/resources/jasperreports_extension.properties+5 −0 modified@@ -1 +1,6 @@ net.sf.jasperreports.extension.registry.factory.barcode4j=net.sf.jasperreports.barcode4j.Barcode4JExtensionsRegistryFactory + +net.sf.jasperreports.extension.registry.factory.deserialization.whitelist=net.sf.jasperreports.engine.util.StandardDeserializationClassWhitelistExtension +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.barcode4j=\ + net.sf.jasperreports.barcode4j.*Component,\ + net.sf.jasperreports.barcode4j.*Enum
ext/charts/src/main/resources/jasperreports_extension.properties+36 −0 modified@@ -2,3 +2,39 @@ net.sf.jasperreports.extension.registry.factory.charts=net.sf.jasperreports.char net.sf.jasperreports.extension.registry.factory.jackson.mapping=net.sf.jasperreports.jackson.util.JacksonMappingExtensionsRegistryFactory net.sf.jasperreports.extension.jackson.mapping.chart=net.sf.jasperreports.charts.JRChart + +net.sf.jasperreports.extension.registry.factory.deserialization.whitelist=net.sf.jasperreports.engine.util.StandardDeserializationClassWhitelistExtension +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.charts=\ + net.sf.jasperreports.charts.JR*,\ + net.sf.jasperreports.charts.base.JRBase*,\ + net.sf.jasperreports.charts.fill.ChartTemplateImage,\ + net.sf.jasperreports.charts.type.*Enum,\ + net.sf.jasperreports.charts.util.*,\ + net.sf.jasperreports.components.spiderchart.*,\ + net.sf.jasperreports.components.spiderchart.type.* +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.jfreechart=\ + org.jfree.chart.JFreeChart,\ + org.jfree.chart.PaintMap,\ + org.jfree.chart.StrokeMap,\ + org.jfree.chart.LegendItemSource,\ + org.jfree.chart.axis.*,\ + org.jfree.chart.block.*,\ + org.jfree.chart.labels.*,\ + org.jfree.chart.plot.*,\ + org.jfree.chart.plot.dial.*,\ + org.jfree.chart.renderer.*Renderer*,\ + org.jfree.chart.renderer.category.*,\ + org.jfree.chart.renderer.xy.*,\ + org.jfree.chart.title.*Title,\ + org.jfree.data.Range,\ + org.jfree.data.RangeType,\ + org.jfree.data.DefaultKeyedValues,\ + org.jfree.data.DefaultKeyedValues2D,\ + org.jfree.data.category.DefaultCategoryDataset,\ + org.jfree.data.gantt.*,\ + org.jfree.data.general.*,\ + org.jfree.data.time.*,\ + org.jfree.data.xy.*,\ + org.jfree.text.TextBlockAnchor,\ + org.jfree.ui.*,\ + org.jfree.util.*
ext/chart-themes/src/main/resources/jasperreports_extension.properties+4 −0 modified@@ -1,2 +1,6 @@ net.sf.jasperreports.extension.registry.factory.chart.theme=net.sf.jasperreports.spring.SpringExtensionsRegistryFactory net.sf.jasperreports.extension.chart.theme.spring.beans.resource=net/sf/jasperreports/chartthemes/spring/beans/chartThemesBeans.xml + +net.sf.jasperreports.extension.registry.factory.deserialization.whitelist=net.sf.jasperreports.engine.util.StandardDeserializationClassWhitelistExtension +net.sf.jasperreports.deserialization.class.whitelist.jasperreports.chartthemes=\ + net.sf.jasperreports.chartthemes.spring.*
pom-parent.xml+1 −1 modified@@ -77,7 +77,7 @@ <url>${scmUrl}</url> </scm> <properties> - <revision>develop-JS-76100-SNAPSHOT</revision> + <revision>develop-JRL-2039-SNAPSHOT</revision> <scmConnection>scm:git:https://github.com/Jaspersoft/jasperreports.git</scmConnection> <scmUrl>https://github.com/Jaspersoft/jasperreports</scmUrl> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7c3f-cg9x-f3grghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10492ghsaADVISORY
- community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6ghsaWEB
- community.jaspersoft.com/forums/topic/69926-cve-2025-10492-%E2%80%93-no-fix-available-after-jasperreports-upgrade-community-editionghsaWEB
- github.com/Jaspersoft/jasperreports/commit/3541a3e2b1ad8b78388ac505091da75cb652a647ghsaWEB
- github.com/Jaspersoft/jasperreports/commit/827c2f27c4ca8e2c5b3142d76df9c1c8575f3569ghsaWEB
- github.com/Jaspersoft/jasperreports/issues/542ghsaWEB
- community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/mitre
News mentions
0No linked articles in our index yet.