The official community for ColdFusion.
Recently active
Load Balancer cannot tell when ColdFusion site is up or not due to logon pop-up.We have a load balancer to ensure that if one of our ColdFusion services goes down, we switch all traffic to the other server.The problem we have is that we want to check the web site is responsive – not just that the service is running, as the ColdFusion Application Server service can be running but the web site does not respond.But when the Load Balancer checks the web page the Edge account logon popup appears, and confuses it as it thinks the site is running. This can be mimicked by entering the monitor page URL into Chrome incognito (networks team said if it works in Incognito, it will work in the Load Balancer).Is there any way to get this working?In IIS the main site is set up so we are automatically logged in via our window using Windows Authentication. The “monitor” site has Anonymous Authentication. In testing Chrome Incognito works for a simple html page (no account logon pop up), but account l
Environment: Windows-based, using ColdFusion 2023. When creating admin console “users,” has anyone setup external authentication (using LDAP) using groups instead of individual users? Due to a recently released ColdFusion STIG I’m now required to create admin console users who are externally authenticated (no local user accounts). In my case, that means using LDAP to authenticate the users from Active Directory (AD). My preference is to configure this using an AD group instead of individual users.I’m struggling trying to determine what data goes in what fields during the setup. I have the LDAP configured and verifying the connection. I’m using the correct LDAP filter in the Group Configuration field; I know it’s correct because when I test it using the CFLDAP tag, it returns the users who are assigned to the target group. But, in the User Manager (User Detail), the ‘User name’ field is required and I’m not sure what to enter. I’ve tried several different things, but always get the r
We are running CF-2021 Update-22 with IIS on Windows 2019. Suddenly today all Coldfusion sites started experiencing significant delays. Response times have increased to between 5 and 40 seconds, while they used to be within 100-200 ms. There have been no updates or changes on the server as far as I can see. Restarting or upgrading connectors didn't help, CPU usage is low and there is plenty of RAM and storage. Http and css files are served immediately, and Coldfusion debugger reports show that pages are still loading pretty fast: Total Execution Time is less than 100 ms. I didn't find any signs of the DoS attack.So the issue must be somewhere between IIS and Tomcat. In fact, isapi_redirect logs show more errors then before, like[Thu Feb 05 21:16:16.555 2026] [10156:7684] [info] ajp_process_callback::jk_ajp_common.c (2288): current reuse count is 192 of max reuse connection 300 and total endpoint count 400[Thu Feb 05 21:16:17.662 2026] [10156:13788] [error] start_response::jk_isapi_plug
Hello everybody!I am working on removing all my inline JS codes. As an exapmle I've created a simple coldfusion (CF) template with a button. In a separate javascript file I define the function which is called when the button is pressed. This function is to have an argument through which I pass a value to be displayed. test4.cfm: <cfscript> Variables.sTest = "ha-ha-ha";</cfscript><!DOCTYPE html><html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'self'"> <script> var sValFromCF = "<cfoutput>#Variables.sTest#</cfoutput>"; </script> <script src="JS_test4.js" defer> </script> </head> <body> <INPUT TYPE="button" name="sBtn4" id="sBtn4" value="Click me4"> </body></html>JS_test4.js: <!-- Begin hiding contents from older browsersdocument.addEventListener ('DOMContentLoaded', () => { document.getElementById("sBtn4").addEventListener("cli
This happened after I installed all 6 patches for Cold Fusion 2025, in order. I rebooted the system but still got the same error.
I would like to switch from CF 2016 to CF 2025. I have already installed the developer edition of the latest CF 2025 version.Could anyone post me a link to a migration guide or/and provide other useful information about the migration steps to do? Thanks for any help!
Hello. Let's say that I have an API running at https://api.mysite.com/rest/api/customerID/12345 which is available to anyone with the link. Joe User can go to that site right now and pull that payload, but now, I want to lock it down through the API Manager. I have everything set up in the API Manager (Server discovery, REST API import, REST Playground Config, Publisher/Subscriber setup, Authentication (using apiKey), SLA Creation, Rate Limiting, and so on, in order to manage these requests. Everything looks good. I think my question is simple: What's to stop Joe User, or even Joe Subscriber, from circumventing the apikey requirement and hammer away at my api with impunity? Does one pass through the API Key with each request, or how does it work? How do I prevent casual usage of visitors continuing to hit my API by just going to https://api.mysite.com/rest/api/customerID/12345? Brian Sappey's webinar series has made API creation and management a breeze,
I'm working on building an interface with ID.me. I am currently getting back a valid JWT from the ID.me API (it successfully decodes using JWT.IO) but I'm having trouble decoding it in ColdFusion. The CF function VerifySignedJWT has three required parameters and, I believe, I am having trouble with the second parameter signOptions. The CF documentation indicates this parameter should be a strcut containing the key, KeyPair, JWK-JSON Web Keyset URL or file or string, Keystore file, keystore password, keystore alias.I am retrieveing the key array from the JWK-JSON Web Keyset URL (ID.me's well known endpoint) but am stuck here. When I attempt to decode using <cftry> <cfset payload = VerifySignedJWT(idToken, key, c)> <cfcatch type="any"> &n
Keep getting. java.sql.SQLException: Index -1 out of bounds for length 0 Please help. I cleared Felix -cache, tried Odbc11.jar in ..\lib folder restarted no difference. running out of options before rollback. ty community. I was on call with Adobe over 1 hour they hung up. No respnse from CFsup... email Jose Duenas Lead systems Kaiser
I am running a developer version of ColdFusion 2025 Version 2025,0,06,331564 on my MacBook Pro MacOS Tahoe 26.2 (25C56). I used the ZIP installer to install it. When ever I try to use the CZIP tag in CFML or function in CFSCRIPT I get the following error:Cannot find implementation class coldfusion.tagext.zip.ZipTag for the zip tag. I have restarted everything. I have run cfpm.sh with `purgecache`. I have deleted the felixcache completely and restarted. I have run cfpm.sh with `install all`. None of that has resolved it. I do have the zip package installed. Do I need to recompilie the coldfusion binary? The reason I have not yet just tired to unintall and reinstall is becuase I have spent a lof ot time getting SSL Vhosts working with the default install of Apache on MacOS and ColdFusion so that apache properly hands off ColdFusion requests. I am wary of running the uninstall script because I assume it will remove the jk_mod connector
Tenable Security scan has identified Fileupload-1.5.jar as a high Vulnerability. Is this a false positive ? C:\ColdFusion2023\bundles\repo\commons-fileupload-1.5.jar Installed version : 1.5 Fixed version : 1.6 Path : C:\ColdFusion2023\bundles\updateinstallers\hotfix-packages-cf2023-016-330828\repo\commons-fileupload-1.5.jar Installed version : 1.5 Fixed version : 1.6 Path : C:\ColdFusion2023\bundles\updateinstallers\hotfix-packages-cf2023-016-330828\repo\commons-fileupload-1.4.jar Installed version : 1.4 Fixed version : 1.6 Path : C:\ColdFusion2023\cfusion\lib\bundleaxis\commons-fileupload-1.5.jar Installed version : 1.5 Fixed version : 1.6 Path :
We are pleased to inform you that we've released security updates for ColdFusion 2025 and 2023 releases. For more information, see the respective tech notes: ColdFusion (2025 release) Update 6 ColdFusion (2023 release) Update 18 What's new and changed The releases address CVE-2025-66516, a critical XXE in Apache Tika libraries. Adobe strongly recommends that you apply this update as soon as possible. Note that this update is cumulative and includes fixes from previous updates. This update upgrades the embedded Apache Tika libraries, providing the latest security and stability enhancements, while preserving existing application behavior. View the tech notes, and the security bulletin, APSB26-12, for more information. Download the updates ColdFusion 2025 updates ColdFusion 2023 updates Docker and CFFiddle CFFiddle is now updated with the changes The Docker images are also updated: Docker Hub - ColdFusion Images Amazon ECR - ColdFusion Image
Hi everyone,After applying ColdFusion 2023 Update 17 in our ACPT environment, all of our datasources suddenly stopped verifying. The CF Administrator now shows this error: Connection verification failed for data source: <name> java.sql.SQLException: The oracle package is not installed. You can install the package through the CLI package manager (cfpm.bat) by running the command: install oracle.This is happening on all Oracle and SQL Server datasource. However,Running cfpm list confirms that both oracle and sqlserver packages are installed, e.g.:oracle, version : 2023.0.11.330706 sqlserver, version : 2023.0.05.330608Despite this, ColdFusion Admin continues to report the driver as “not installed”. I would like to ask, Is this a known issue where CFPM installs the Oracle package but CF Admin fails to register or load the new driver? and what is the recommended/supported way to ensure ColdFusion Admin maps Oracle datasources after Update 17? Any guidance or confir
Good morning, everyone. We recently applied HF 17 to our servers, and now we have hundreds of error emails flowing in alerting us to an onRequestStart error. Exception java.lang.NullPointerException [in thread "ajp-nio-214.3.xx.xxx-8022-exec-7"] java.lang.ExceptionInInitializerError: Exception java.lang.NullPointerException [in thread "ajp-nio-214.3.xx.xxx-8022-exec-7"] at oracle.jdbc.driver.DynamicByteArray$1.run(DynamicByteArray.java:1133) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at oracle.jdbc.driver.DynamicByteArray. We have tried rolling back to backups created before the HF was applied, but we are still getting an error. The file/line is application.cfc, and is in the middle of a query at a CFQUERYPARAM that has "#cgi.remote_addr#" as the value. Has anyone run across this? V/r, WolfShade UPDATE: We have restored from a backup from ten days ago, and seem to be working, now. But we wil
Hi, I bought HS ( Homesite ) 5.5 many years ago and over time I have unfortunately lost the installation file, the one where it asks for your serial which I still have, I have searched for the software but none of the software I have found asks for the serial, can anyone point me in the right direction or even kindly share their installation file. Thanks. David
We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes: ColdFusion (2025 release) Update 5 ColdFusion (2023 release) Update 17 ColdFusion (2021 release) Update 23 End of core support for ColdFusion 2021 update release Adobe ColdFusion (2021 release) Update 23 marks the end of core support for ColdFusion 2021 update releases. Adobe ColdFusion (2021 release) Update 23 is the final update, as this version reached its end of core support on November 10, 2025. After this update, no further core updates will be provided for this version. What's new and changed The updates includes important security fixes that mitigate vulnerabilities related to arbitrary file system write, arbitrary file system read, arbitrary code execution, and security feature bypass. The updates also include: New JVM flags Changes to serialfilter CAR migration changes Tomcat upgrade Bug fixes and k
I'm running CF2023 Enterprise on Windows and am trying to test out the getGraphQLClient for a Shopify API integration, but I keep getting this error trying to make the getGraphQLClient call:Can't find resource for base name coldfusion/osgi/services/resource.properties My test code simply consists of this: <cfset shopifyConfig = { "endpoint": "#apiurl#", "headers": { "X-Shopify-Access-Token": "#session.shopify_access_token#", "Content-Type": "application/json" } }> <cfset shopifyClient=getGraphQLClient(shopifyConfig)>I've already implemented the direct cfhttp call to get my access token and have actually been successful in connecting to Shopify with manually constructed GraphQL queries through cfhttp. I'd just like to see if the baked-in GraphQL client offers some efficiency. I've looked at several posts about this error and clearing the felix-cache with a restart of CF, which I've tried several times on two differ
I have a new laptop and am trying to download ColdFusion Server and Builder.. I am on this link (for CF Server) Download Adobe ColdFusion free trial | Adobe ColdFusion (2025 release) After I fill out the fields in the form and press "Download" nothing happens. I recall having the same problem about three years ago with another device. I think there is a pop-up that I am not seeing.- Can anyone advise please?
We are going to need to update from ColdFusion 2021 Enterprise to version 2025 within the next few months. However, our environment doesn't fit within the requirements of either a Named User License or a Feature Restricted License. The system(s) will not be able to connect to Adobe's licensing servers on the commercial internet. However, they will require private Cloud connectivity via Azure Government Cloud, which means a feature-restricted version that does not allow Cloud access will probably render the system useless. The FAQs suggest a hybrid option may be available, but how do we ensure we are obtaining the right licenses for our environment? (Everything will have to be passed through a Government purchasing vehicle, so the more information we have up-front on how to obtain the right licenses, the fewer bureaucratic & technical complications we're likely to run into.) Thanks!
I'm having the same issue as detailed in this post:https://community.adobe.com/t5/coldfusion-discussions/connection-verification-failed-for-data-source-xxxx-jdbc-java-sql-sqlexception/m-p/15635408?search-action-id=799686186822&search-result-uid=15635408 I'm getting the same error after install Update 17:"Due to security reasons, oracle.sql.converter.CharacterConverter1Byte is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization." So following the solution that was provided in the other community post, I updated <cf_home>/lib/cfserialfilter.txt (I have multiple instances). It now reads as follows:java.util.Locale; java.util.Collections$EmptySet; java.util.HashMap; coldfusion.server.ConfigMap; coldfusion.util.FastHashtable; coldfusion.saml.SpConfiguration; coldfusion.saml.IdpConfiguration; coldfusion.runtime.CaseSensitiveStruct; coldfusion.scheduling.mod.ScheduleTagData; coldfusi
Sorry to be posting questions so frequetly... With CF2023 update 17 comes a few new questions. The related note says, "From this update, ColdFusion blocks all class deserialization by default... Classes not on this allowlist are blocked, and an error is logged advising you to add the relevant class or package to serialfilter.txt if you wish to allow it." Oddly, the destination linked-to in the description of "Serialfilter" from that page says "From Update 5 onwards... ColdFusion blocks all class deserialization by default." If the change was implemented in Update 5, then how does update 17 differ? My bigger question is this... Not being a Java coder, and assuming Adobe doesn't expect CF coders to know what Java deserialization is, I need to ask, are there Java classes that do not "deserialize"? I have a .jar file in cfusion\wwwroot\WEB-INF\lib. With update 17 installed, the class performs fine with no updates to serialfilter.txt. Can I assu
I need to install a group of hotfixes very soon to CF2023 on Windows. CF is just installed as a standalone - not multiple instances. I prefer to do it using the GUI in the CF Admin. I really want to do everything possible to avoid issues, and the following questions are to that end. If anyone has some fast, high-level answers, I would appreciate hearing them. It is recommended in various places to back up the whole ColdFusion2023 folder before Hotfix install. Simple enough, but how/when to restore CF from that backup is not clear. How likely is it that after a significant error, replacing the whole ColdFusion2023 with the backed-up version will get things working again? It is recommended that CF be restarted before running the hotfix from the GUI, to both verify that the user has permissions to restart the services and to free up any resources held by the OS. Does this mean that ALL cf-related services including ODBC Agent, ODBC Server, .NET Service, Add-On Services sho
Hi All, Getting an error i've never seen before on one server of multiple we use to connect to an Oracle datasource via Oracle JDBC Drivers after doing the update from 16 to 17 on CF2023. Connection verification failed for data source: xxxx_jdbcjava.sql.SQLException: Index -1 out of bounds for length 0 Error when trying to verify a datasource. It's an Other datasource. Using Oracle JDBC Drivers (in the cflib foler ojdbc11.jar). Driver Name: oracle.jdbc.driver.OracleDriver Have tried removing the datasource and re-adding and get the same result. Have also tried just adding a different oracle jdbc datasource and get the same result. I've also tried deleting the felix-cache and WEB-INF cfclasses but that doesn't seem to have had any effect. Strangely this is only happening on one server of multiple we have connecting to the datasource, some of which are on CF2023 Update 16 and some Update 17. Stack trace has error messages like: "Error","http-n
So I was helping a colleague debug an issue which seemed to me as an "undefined behaviour" (I may be wrong for defining it as such).We have coldfusion linked with apache on our server, cf runs on 8500 and apache on 8080The coldfusion webroot is /opt/coldfusion/cfusion/wwwroot while the apache webroot is /var/www/htmlIn both webroots he deploys the same file (both files have the same dir structure and name), for example ./sampler/app/index.cfm so he ends up having /var/www/html/sampler/app/index.cfm <!--- /var/www/html/sampler/app/index.cfm ---> <cfoutput>hello</cfoutput>and /opt/coldfusion/cfusion/wwwroot/sampler/app/index.cfm<!--- /opt/coldfusion/cfusion/wwwroot/sampler/app/index.cfm ---> <cfoutput>hi</cfoutput> What he expected to get upon requesting http://250.2.36.996:8080/sampler/app/index.cfm is the output hello since we are pointing to apache, instead we see hi. I decided to give it a look and made a similar
Hi thereI am an intern at Adobe ColdFusion. My current task is to use the URL parameters in my projects. I have searched randomly on Google. I have got its concept and a bit of knowledge of the code, yet, I am unable to achieve this full-fledged in my project. Where and how can I have a solid exposure about it, which leads me to one hundred percent implementation of it?
Remix with Firefly Community Gallery
Thousands of free creations to fall in love with and remix in Firefly.
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.