ColdFusion

I tried to submit a trouble-ticket on the tracker.adobe.com, but I’m getting a 500 error.  Yay.Does anyone have any information on ColdFusion 2023 Enterprise and the Microsoft Visual C++ 2012 Redistributable? This specific redistributable has reached End of Life (EOL) and is no longer supported or patched by Microsoft.  Utilizing EOL software directly violates Risk Management Framework (RMF) and Department of Navy cybersecurity requirements.  This outdated dependency unnecessarily increases the system’s attack surface area.

Hi All,We are migrating from Cf2021 to CF2025.One issue is that QoQ resuts shows empty string when is not data.<cfscript> tempQuery = queryNew("id,name,amt", "integer,varchar,double"); QueryAddRow(tempQuery); QuerySetCell(tempQuery, "id", 1); QuerySetCell(tempQuery, "name", "Marco"); QuerySetCell(tempQuery, "amt", 16); QueryAddRow(tempQuery); QuerySetCell(tempQuery, "id", 2); QuerySetCell(tempQuery, "name", "Troy"); QuerySetCell(tempQuery, "amt", 7); result = queryExecute( "SELECT SUM(amt) AS cnt FROM tempQuery", {}, {dbtype="query"} ); writeDump(result); writeDump(result.recordcount()); result = queryExecute( "SELECT SUM(amt) AS cnt FROM tempQuery where id = 3", {}, {dbtype="query"} ); writeDump(result); writeDump(result.recordcount());</cfscript>ResultThe record count now is 1 for empty QoQ. It shoud be zero.Any solution on this issue?Thanks,JFB

my linter thinks there is an invalid token here, but there isn’tTL;DR: The red squiggle underline is caused, in some way, by the CF Builder extension. It’s wrong, the code and the file are fine, and I want it to go away. Anyone know how to make it go away?Details:I installed this extension a few weeks ago, and I didn’t notice (or I ignored) it at the time, but I started getting these red-squiggle notifications on *some* javascript / JSON files. I finally tried narrowing down the problem today, and after blaming it on eslint for a little while, and/or various rules in my project’s `eslintrc.json` file, I disabled all extensions and the error went away.So I used vsCode’s “Extension Bisector” to find the culprit. I didn’t know this existed till today. Basically it starts by disabling all extensions and reloading your window, and asks you if you can reproduce the problem. You say yes/no, and then it reloads again with some extensions enabled. You repeat the process several times until fina

Is there a way to adjust the formatting settings used by the vsCode ColdFusion Builder extension? I installed the extension mainly to try to take advantage of its code formatting options. Unfortunately the formatting does not seem to obey my vsCode preferences (tab indentation, equal to 2 spaces). It also does almost no formatting of html inside a cfoutput block (all html tags are stacked evenly). Does anyone know if there’s a way to adjust the formatting settings? I would like to recommend this to our team of several developers, as a standard tool for formatting our files.

Hi CF Experts,Recently I have changed my laptop and installed ColdFusion 2023 and installing updated from Update 6. But I am unable to download and Install it from  CF Admin. Below is screen and getting an error Uncaught TypeError: Cannot read properties of undefined (reading 'cfhf_buildnumber') Can you please help on this. 

I've gone through multiple rounds of installing Windows Server 2022 and following the Lockdown guide to install ColdFusion 2025 and AutoLockdown. Just can't get it to work, have lost a lot of time, and losing hope. Initially I couldn't get it to create the service user for me. May have been the complex password. Whatever. It seems to do that correctly now. After seeing a bug reported elsewhere I have added -Dcoldfusion.runtime.remotemethod.matchArguments=false to the JVM flags and restarted CF before running the AutoLockdown tool. I have checkpoints/snapshots in Hyper-V so that I can start the tool from scratch on each attempt. Attached is the lockdown log if anyone can help me out.

Where the heck do you report a bug?  Now I know why the Adobe developers say they don't have any bugs in their queue.  No one can figure how to report one.I was also told they offer free installation support.  Where and how do you reach them?  I've scoured the website and can't find it.

When I go to a server instance in CFAdmin > Deploy Existing Archive I get the following error:The path xxx.car is not whitelisted in pathfilter in CF2021 update 23.Is there a particular directory I should put the .car file in? Where can I whitelist the file. I don’t see anything under Security to whitelist a file. 

When I try to set the FIPS Mode in Configuration as below:<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on"/> I’m getting error in the coldfusion-error.log: “Failed to enter FIPS mode” and unable to login to CF Admin page. How can I fix this error with enabling the FIPS mode?Thanks!

I’m converting a database from MS‑SQL to PostgreSQL and I need to change the calls to the Stored Procedures.I rewrote them in PostgreSQL, and when I try to execute them, it returns an error saying that the procedure’s cursor does not exist.For example, a call that used to be:<cfquery name="getApp_Version"> EXEC sp_app_version;</cfquery>Was changed to:<cfquery name="getApp_Version"> BEGIN; CALL "public"."sp_app_version"('c1'); FETCH NEXT FROM c1; COMMIT;</cfquery>And the following message appes:ERROR: cursor "c1" does not existI was advised to convert the procedures into functions to solve the problem, but there are too many procedures to rewrite.Is there a way to call Stored Procedures in PostgreSQL without getting this error?

I am trying to use org.jaudiotagger.audio.AudioFileIO to read some tags in mp3 files.  The following lines work correctly: fileObj = createObject("java", "java.io.File").init(lsFileNameWithPath);audioFileIO = createObject("java", "org.jaudiotagger.audio.AudioFileIO");audioFile = audioFileIO.read(fileObj);audioHeader = audioFile.getAudioHeader();bitrate = audioHeader.getBitRate();writeOutput("The audio file bitrate is: " & bitrate);writeOutput(AudioHeader);but If I try anything with tags such as:Tag tag = audioFile.getTag();              orlsArtist = audioFile.getTag().getFirst(FieldKey.ARTIST);I get error messages.  In the first case the error message is “ Variable TAG is undefined.“ and in the second case the error message is “ Variable FIELDKEY is undefined”Any suggestions as to what I am doing wrong?

Weak Session Token Randomness vulnerability found during pentesting in ColdFusion 2023 Administrator During a recent penetration test, we identified a vulnerability related to weak session token randomness in ColdFusion 2023, specifically impacting the Administrator interface. Our analysis indicates that only about 6 out of 80 characters in the session cookie exhibit sufficient randomness, which poses a risk to session security.Could you please advise if ColdFusion 2023 offers any configuration options or best practices to enhance the randomness and security of session tokens for the Administrator? Is it possible to customize the session ID generator or enable a stronger session management mechanism?Any guidance or recommendations to mitigate this vulnerability would be greatly appreciated.Thank you in advance for your support!

I’m setting up a SAML integration in ColdFusion 2021. It works fine, but when I’m in the Administrator if I check the “Want Assertions Signed” checkbox but don’t fill out Signing Keystore information and save it, whenever I try to edit the SP it always fails saying the keystore…. is undefined. My understanding is that “Want Assertions Signed” means the IDP signs the request it sends. Inside of the IDP I set up the Signing Certificate so it decrypts the response successfully. This all works fine, it’s just I can’t get in to edit the SP after setting it up. Entra provides the certificate and has options to sign the request and assertion, so I assume I don’t have to set up that certificate in my SP, but I do have to add it to the IDP so it knows how to verify the SAML response. Is this wrong? If I leave “Want Assertions Unchecked” what does that do for my process? Thank you.

Hello CF Community, We have a bit of an unusual situation, On one of the servers we have the log4j files which i do not see on the other servers. We have a security issue and the core-2.13.3 needs to be removed. We are running the CF2021 Updated to update 18 on all nodes. Only one of the nodes is showing the extra files in the CF/jre/lib folder. How can i go about safely removing the core2.13.3 file for log4j. Can i simply remove and if so what should i be on the look out for in terms of failures?  

Hello, everyone. Still have not had a chance to do anything with my last issue (still ongoing), and now we have more issues.  They just keep cropping up. The most critical, however, is that our SA is getting 400 errors trying to access CF Admin.  I’m trying to get as much information from our SA as possible. He’s checking logs, as I type this.  I’m hoping he can get me some details for me to post. Right now, all I have is what appears in the browser when he tries to access CF Admin. BAD REQUESTYour browser set a request that this server could not understand.Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request. As soon as our SA passes to me what he finds in the logs, I’ll post them here. V/r,WolfShade

Hello!This is a continuation of a question I posed days prior to the upgrade of the Adobe forums. The post never reappeared on the new forums, and so I’m reposting this update afresh.My original question centered on how to configure IIS websites such that all users would be required to go through the API Manager to access the API. BKBK responded with details on how to set up a reverse proxy. Mission accomplished. I now have two IIS sites:APIMGR.mysite.com is the gateway (reroutes traffic to API.mysite.com) API.mysite.com is the backend (rejects direct traffic; permits incoming traffice only from APIMGR.mysite.com)My question now is, what settiings, if any, in the API Manager Administrator (or in the Portal) need to change, to accommodate this reverse proxy setup? Specifically, do these default settings for the Host or the Domain URL need to change, or does the API administrator still serve up requests via the default localhost / localhost:port configuration? Thanks in advance for the a

Can anyone tell me what happens when a ColdFusion 2023 Enterprise license is used on more servers (or CPUs or whatever) than Adobe thinks are covered by the license? I would not deliberately overuse a license, but because previous communication with Adobe about licensing has been far from clear, and the fact that I am not in our company’s licensing department, as well as the fact that Adobe’s stance on allowing (or not) a license to be used on a dev servers if licensing has been purchased for a prod server, it’s hard to be 100% sure that issues won’t arise.We have a UAT server and I’m almost sure our existing licensing will accommodate it, but if I apply the serial number and it isn’t covered, what will happen - Something as clear as a notification on attempt, or something much worse, like our PROD server being silently downgraded to developer mode?Thanks!

I have a simple loop that is used to clean up old files within a directory:​<cfdirectory action="list" name="qDir" directory="#variables.path#"><cfloop query="qDir"> <cfif qDir.Type eq "File"> <cfif DateDiff("h", qDir.DateLastModified, Now()) gt attributes.keep_for_hours> <cfset variables.full_file_path = variables.path & qDir.Name> <cfif FileExists(variables.full_file_path)> <cffile action="delete" file="#variables.full_file_path#"> </cfif> </cfif> </cfif></cfloop>This is on Linux where ColdFusion is running as apache.Recently a system scan process has been leaving behind files owned by root within the directory resulting in an error stating:“The file or directory <filename> provided as the Source is read-only. - The Delete cannot be performed.”While it’s true that the file is read-only, apache owns the directory the file is in and should still be able to delete the file.How do I go about encouragin

Load Balancer cannot tell when ColdFusion site is up or not due to logon pop-up.We have a load balancer to ensure that if one of our ColdFusion services goes down, we switch all traffic to the other server.The problem we have is that we want to check the web site is responsive – not just that the service is running, as the ColdFusion Application Server service can be running but the web site does not respond.But when the Load Balancer checks the web page the Edge account logon popup appears, and confuses it as it thinks the site is running.  This can be mimicked by entering the monitor page URL into Chrome incognito (networks team said if it works in Incognito, it will work in the Load Balancer).Is there any way to get this working?In IIS the main site is set up so we are automatically logged in via our window using Windows Authentication.  The  “monitor” site has Anonymous Authentication. In testing Chrome Incognito works for a simple html page (no account logon pop up), but account l

Environment: Windows-based, using ColdFusion 2023. When creating admin console “users,” has anyone setup external authentication (using LDAP) using groups instead of individual users?  Due to a recently released ColdFusion STIG I’m now required to create admin console users who are externally authenticated (no local user accounts). In my case, that means using LDAP to authenticate the users from Active Directory (AD). My preference is to configure this using an AD group instead of individual users.I’m struggling trying to determine what data goes in what fields during the setup.  I have the LDAP configured and verifying the connection. I’m using the correct LDAP filter in the Group Configuration field; I know it’s correct because when I test it using the CFLDAP tag, it returns the users who are assigned to the target group.  But, in the User Manager (User Detail), the ‘User name’ field is required and I’m not sure what to enter. I’ve tried several different things, but always get the r

We are running CF-2021 Update-22 with IIS on Windows 2019. Suddenly today all Coldfusion sites started experiencing significant delays. Response times have increased to between 5 and 40 seconds, while they used to be within 100-200 ms. There have been no updates or changes on the server as far as I can see. Restarting or upgrading connectors didn't help, CPU usage is low and there is plenty of RAM and storage. Http and css files are served immediately, and Coldfusion debugger reports show that pages are still loading pretty fast: Total Execution Time is less than 100 ms. I didn't find any signs of the DoS attack.So the issue must be somewhere between IIS and Tomcat. In fact, isapi_redirect logs show more errors then before, like[Thu Feb 05 21:16:16.555 2026] [10156:7684] [info] ajp_process_callback::jk_ajp_common.c (2288): current reuse count is 192 of max reuse connection 300 and total endpoint count 400[Thu Feb 05 21:16:17.662 2026] [10156:13788] [error] start_response::jk_isapi_plug

Hello everybody!I am working on removing all my inline JS codes. As an exapmle I've created a simple coldfusion (CF) template with a button. In a separate javascript file I define the function which is called when the button is pressed. This function is to have an argument through which I pass a value to be displayed. test4.cfm: <cfscript> Variables.sTest = "ha-ha-ha";</cfscript><!DOCTYPE html><html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'self'"> <script> var sValFromCF = "<cfoutput>#Variables.sTest#</cfoutput>"; </script> <script src="JS_test4.js" defer> </script> </head> <body> <INPUT TYPE="button" name="sBtn4" id="sBtn4" value="Click me4"> </body></html>JS_test4.js: <!-- Begin hiding contents from older browsersdocument.addEventListener ('DOMContentLoaded', () => { document.getElementById("sBtn4").addEventListener("cli

This happened after I installed all 6 patches for Cold Fusion 2025, in order. I rebooted the system but still got the same error.    

I would like to switch from CF 2016 to CF 2025. I have already installed the developer edition of the latest CF 2025 version.Could anyone post me a link to a migration guide or/and provide other useful information about the migration steps to do? Thanks for  any help!

Hello. Let's say that I have an API running at https://api.mysite.com/rest/api/customerID/12345 which is available to anyone with the link. Joe User can go to that site right now and pull that payload, but now, I want to lock it down through the API Manager.  I have everything set up in the API Manager (Server discovery, REST API import, REST Playground Config, Publisher/Subscriber setup,  Authentication (using apiKey), SLA Creation, Rate Limiting, and so on, in order to manage these requests. Everything looks good. I think my question is simple: What's to stop Joe User, or even Joe Subscriber, from circumventing the apikey requirement and hammer away at my api with impunity? Does one pass through the API Key with each request, or how does it work? How do I prevent casual usage of visitors continuing to hit my API by just going to https://api.mysite.com/rest/api/customerID/12345? Brian Sappey's webinar series has made API creation and management a breeze,