ColdFusion

I'm working on building an interface with ID.me.  I am currently getting back a valid JWT from the ID.me API (it successfully decodes using JWT.IO) but I'm having trouble decoding it in ColdFusion.  The CF function VerifySignedJWT has three required parameters and, I believe, I am having trouble with the second parameter signOptions.  The CF documentation indicates this parameter should be a strcut containing the key, KeyPair, JWK-JSON Web Keyset URL or file or string, Keystore file, keystore password, keystore alias.I am retrieveing the key array from the JWK-JSON Web Keyset URL (ID.me's well known endpoint) but am stuck here.  When I attempt to decode using        <cftry>            <cfset payload = VerifySignedJWT(idToken, key, c)>            <cfcatch type="any">    &n

Keep getting.   java.sql.SQLException: Index -1 out of bounds for length 0   Please help.    I cleared Felix -cache, tried Odbc11.jar in ..\lib folder restarted no difference.   running out of options before rollback.   ty community. I was on call with Adobe over 1 hour they hung up. No respnse from CFsup... email   Jose Duenas Lead systems Kaiser

I am running a developer version of ColdFusion 2025 Version 2025,0,06,331564 on my MacBook Pro MacOS Tahoe 26.2 (25C56). I used the ZIP installer to install it. When ever I try to use the CZIP tag in CFML or function in CFSCRIPT I get the following error:Cannot find implementation class coldfusion.tagext.zip.ZipTag for the zip tag. I have restarted everything. I have run cfpm.sh with `purgecache`. I have deleted the felixcache completely and restarted. I have run cfpm.sh with `install all`.  None of that has resolved it.   I do have the zip package installed. Do I need to recompilie the coldfusion binary? The reason I have not yet just tired to unintall and reinstall is becuase I have spent a lof ot time getting SSL Vhosts working with the default install of Apache on MacOS and ColdFusion so that apache properly hands off ColdFusion requests. I am wary of running the uninstall script because I assume it will remove the jk_mod connector

Tenable Security scan has identified Fileupload-1.5.jar as a high Vulnerability. Is this a false positive ? C:\ColdFusion2023\bundles\repo\commons-fileupload-1.5.jar Installed version : 1.5 Fixed version : 1.6 Path : C:\ColdFusion2023\bundles\updateinstallers\hotfix-packages-cf2023-016-330828\repo\commons-fileupload-1.5.jar Installed version : 1.5 Fixed version : 1.6 Path : C:\ColdFusion2023\bundles\updateinstallers\hotfix-packages-cf2023-016-330828\repo\commons-fileupload-1.4.jar Installed version : 1.4 Fixed version : 1.6 Path : C:\ColdFusion2023\cfusion\lib\bundleaxis\commons-fileupload-1.5.jar Installed version : 1.5 Fixed version : 1.6 Path :

We are pleased to inform you that we've released security updates for ColdFusion 2025 and 2023 releases. For more information, see the respective tech notes: ColdFusion (2025 release) Update 6 ColdFusion (2023 release) Update 18   What's new and changed The releases address CVE-2025-66516, a critical XXE in Apache Tika libraries. Adobe strongly recommends that you apply this update as soon as possible. Note that this update is cumulative and includes fixes from previous updates.  This update upgrades the embedded Apache Tika libraries, providing the latest security and stability enhancements, while preserving existing application behavior. View the tech notes, and the security bulletin, APSB26-12, for more information.   Download the updates ColdFusion 2025 updates ColdFusion 2023 updates   Docker and CFFiddle CFFiddle is now updated with the changes The Docker images are also updated: Docker Hub - ColdFusion Images Amazon ECR - ColdFusion Image

Hi everyone,After applying ColdFusion 2023 Update 17 in our ACPT environment, all of our datasources suddenly stopped verifying. The CF Administrator now shows this error: Connection verification failed for data source: <name> java.sql.SQLException: The oracle package is not installed. You can install the package through the CLI package manager (cfpm.bat) by running the command: install oracle.This is happening on all Oracle and SQL Server datasource. However,Running cfpm list confirms that both oracle and sqlserver packages are installed, e.g.:oracle, version : 2023.0.11.330706 sqlserver, version : 2023.0.05.330608Despite this, ColdFusion Admin continues to report the driver as “not installed”. I would like to ask, Is this a known issue where CFPM installs the Oracle package but CF Admin fails to register or load the new driver? and what is the recommended/supported way to ensure ColdFusion Admin maps Oracle datasources after Update 17? Any guidance or confir

Good morning, everyone. We recently applied HF 17 to our servers, and now we have hundreds of error emails flowing in alerting us to an onRequestStart error. Exception java.lang.NullPointerException [in thread "ajp-nio-214.3.xx.xxx-8022-exec-7"] java.lang.ExceptionInInitializerError: Exception java.lang.NullPointerException [in thread "ajp-nio-214.3.xx.xxx-8022-exec-7"] at oracle.jdbc.driver.DynamicByteArray$1.run(DynamicByteArray.java:1133) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at oracle.jdbc.driver.DynamicByteArray. We have tried rolling back to backups created before the HF was applied, but we are still getting an error.  The file/line is application.cfc, and is in the middle of a query at a CFQUERYPARAM that has "#cgi.remote_addr#" as the value. Has anyone run across this? V/r, WolfShade UPDATE:  We have restored from a backup from ten days ago, and seem to be working, now.  But we wil

Hi, I bought HS ( Homesite ) 5.5 many years ago and over time I have unfortunately lost the installation file, the one where it asks for your serial which I still have, I have searched for the software but none of the software I have found asks for the serial, can anyone point me in the right direction or even kindly share their installation file. Thanks. David

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes: ColdFusion (2025 release) Update 5 ColdFusion (2023 release) Update 17 ColdFusion (2021 release) Update 23 End of core support for ColdFusion 2021 update release Adobe ColdFusion (2021 release) Update 23 marks the end of core support for ColdFusion 2021 update releases. Adobe ColdFusion (2021 release) Update 23 is the final update, as this version reached its end of core support on November 10, 2025. After this update, no further core updates will be provided for this version.   What's new and changed The updates includes important security fixes that mitigate vulnerabilities related to arbitrary file system write, arbitrary file system read, arbitrary code execution, and security feature bypass. The updates also include: New JVM flags Changes to serialfilter CAR migration changes Tomcat upgrade Bug fixes and k

I'm running CF2023 Enterprise on Windows and am trying to test out the getGraphQLClient for a Shopify API integration, but I keep getting this error trying to make the getGraphQLClient call:Can't find resource for base name coldfusion/osgi/services/resource.properties My test code simply consists of this: <cfset shopifyConfig = { "endpoint": "#apiurl#", "headers": { "X-Shopify-Access-Token": "#session.shopify_access_token#", "Content-Type": "application/json" } }> <cfset shopifyClient=getGraphQLClient(shopifyConfig)>I've already implemented the direct cfhttp call to get my access token and have actually been successful in connecting to Shopify with manually constructed GraphQL queries through cfhttp.  I'd just like to see if the baked-in GraphQL client offers some efficiency. I've looked at several posts about this error and clearing the felix-cache with a restart of CF, which I've tried several times on two differ

I have a new laptop and am trying to download ColdFusion Server and Builder.. I am on this link (for CF Server) Download Adobe ColdFusion free trial | Adobe ColdFusion (2025 release) After I fill out the fields in the form and press "Download" nothing happens. I recall having the same problem about three years ago with another device. I think there is a pop-up that I am not seeing.- Can anyone advise please?

We are going to need to update from ColdFusion 2021 Enterprise to version 2025 within the next few months. However, our environment doesn't fit within the requirements of either a Named User License or a Feature Restricted License. The system(s) will not be able to connect to Adobe's licensing servers on the commercial internet. However, they will require private Cloud connectivity via Azure Government Cloud, which means a feature-restricted version that does not allow Cloud access will probably render the system useless. The FAQs suggest a hybrid option may be available, but how do we ensure we are obtaining the right licenses for our environment? (Everything will have to be passed through a Government purchasing vehicle, so the more information we have up-front on how to obtain the right licenses, the fewer bureaucratic & technical complications we're likely to run into.) Thanks!

I'm having the same issue as detailed in this post:https://community.adobe.com/t5/coldfusion-discussions/connection-verification-failed-for-data-source-xxxx-jdbc-java-sql-sqlexception/m-p/15635408?search-action-id=799686186822&search-result-uid=15635408 I'm getting the same error after install Update 17:"Due to security reasons, oracle.sql.converter.CharacterConverter1Byte is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization." So following the solution that was provided in the other community post, I updated <cf_home>/lib/cfserialfilter.txt (I have multiple instances). It now reads as follows:java.util.Locale; java.util.Collections$EmptySet; java.util.HashMap; coldfusion.server.ConfigMap; coldfusion.util.FastHashtable; coldfusion.saml.SpConfiguration; coldfusion.saml.IdpConfiguration; coldfusion.runtime.CaseSensitiveStruct; coldfusion.scheduling.mod.ScheduleTagData; coldfusi

Sorry to be posting questions so frequetly... With CF2023 update 17 comes a few new questions. The related note says, "From this update, ColdFusion blocks all class deserialization by default... Classes not on this allowlist are blocked, and an error is logged advising you to add the relevant class or package to serialfilter.txt if you wish to allow it." Oddly, the destination linked-to in the description of "Serialfilter" from that page says "From Update 5 onwards... ColdFusion blocks all class deserialization by default." If the change was implemented in Update 5, then how does update 17 differ? My bigger question is this...  Not being a Java coder, and assuming Adobe doesn't expect CF coders to know what Java deserialization is, I need to ask, are there Java classes that do not "deserialize"? I have a .jar file in cfusion\wwwroot\WEB-INF\lib. With update 17 installed, the class performs fine with no updates to serialfilter.txt. Can I assu

I need to install a group of hotfixes very soon to CF2023 on Windows. CF is just installed as a standalone - not multiple instances. I prefer to do it using the GUI in the CF Admin. I really want to do everything possible to avoid issues, and the following questions are to that end. If anyone has some fast, high-level answers, I would appreciate hearing them.  It is recommended in various places to back up the whole ColdFusion2023 folder before Hotfix install. Simple enough, but how/when to restore CF from that backup is not clear. How likely is it that after a significant error, replacing the whole ColdFusion2023 with the backed-up version will get things working again? It is recommended that CF be restarted before running the hotfix from the GUI, to both verify that the user has permissions to restart the services and to free up any resources held by the OS. Does this mean that ALL cf-related services including ODBC Agent, ODBC Server, .NET Service, Add-On Services sho

Hi All, Getting an error i've never seen before on one server of multiple we use to connect to an Oracle datasource via Oracle JDBC Drivers after doing the update from 16 to 17 on CF2023. Connection verification failed for data source: xxxx_jdbcjava.sql.SQLException: Index -1 out of bounds for length 0 Error when trying to verify a datasource. It's an Other datasource. Using Oracle JDBC Drivers (in the cflib foler ojdbc11.jar). Driver Name: oracle.jdbc.driver.OracleDriver Have tried removing the datasource and re-adding and get the same result. Have also tried just adding a different oracle jdbc datasource and get the same result. I've also tried deleting the felix-cache and WEB-INF cfclasses but that doesn't seem to have had any effect. Strangely this is only happening on one server of multiple we have connecting to the datasource, some of which are on CF2023 Update 16 and some Update 17. Stack trace has error messages like: "Error","http-n

So I was helping a colleague debug an issue which seemed to me as an "undefined behaviour" (I may be wrong for defining it as such).We have coldfusion linked with apache on our server, cf runs on 8500 and apache on 8080The coldfusion webroot is /opt/coldfusion/cfusion/wwwroot while the apache webroot is /var/www/htmlIn both webroots he deploys the same file (both files have the same dir structure and name), for example ./sampler/app/index.cfm so he ends up having /var/www/html/sampler/app/index.cfm <!--- /var/www/html/sampler/app/index.cfm ---> <cfoutput>hello</cfoutput>and /opt/coldfusion/cfusion/wwwroot/sampler/app/index.cfm<!--- /opt/coldfusion/cfusion/wwwroot/sampler/app/index.cfm ---> <cfoutput>hi</cfoutput> What he expected to get upon requesting http://250.2.36.996:8080/sampler/app/index.cfm is the output hello since we are pointing to apache, instead we see hi. I decided to give it a look and made a similar

Hi thereI am an intern at Adobe ColdFusion. My current task is to use the URL parameters in my projects. I have searched randomly on Google. I have got its concept and a bit of knowledge of the code, yet, I am unable to achieve this full-fledged in my project. Where and how can I have a solid exposure about it, which leads me to one hundred percent implementation of it?

Hi everyone, We're excited to announce a new Adobe Community experience is coming this January. A little bit about the update:The new experience will be simpler to navigate, make it easier to connect with other creatives and Adobe experts, and will give you clearer ways to share feature ideas, enhancement requests, and bug reports—with greater visibility into their status with our product teams. In the meantime: Adobe Community will remain active. Keep using it as usual—there will be no interruption in access. In fact, you’ll notice even more Adobe Experts on deck to provide faster responses before, during, and after the update. No existing content will be lost in the update. Every single post, reply, solution, feature request, and bug report you’ve made will be transferred to the new experience. You won't need to recreate anything. Existing content will reappear in two phases. When we launch the new community, all posts created on or before November 16 will be there from day one. Aft

We have an application (CF2013 running on Win2019)  that is failing with the error pasted below  "Error","ajp-nio-127.0.0.1-8022-exec-8","12/03/25","15:42:36",SIRdmini11_25_p1,"The axis package is not installed.You can install package through CLI package manager (D:/ColdFusion2023/cfusion/bin/cfpm.bat) by running the command : install axis. It is stating to install the axis package. But according to the cfpm.bat list.. its says that the axis package is installed(see below).   This package and this version of the package is installed on a different ColdFusion server of ours and the application is working just fine there.  Additionally I have cleared the Felix-cache, and that did not fix the error.  Any suggustions?  Thanks! 🙂coldfusionerror.png

In our development environment, we've started testing and deploying new code with CF2025.However, our CI/CD is based on CF2023, as it's still in our production environments.We've had a compilation error in our pipelines, which I'll summarize here:<cfscript> s = { key1 = 1, } writeDump(s); </cfscript> On CF2025: no reportsOn CF2023 (or all other previous versions): an "Invalid CFML construct found" exception is received In my opinion, the exception reporting handled so far in CF2023 is correct and is a bug to report in CF2025.In your opinion, is it right or wrong?

We are running CF 2023 and just updated from Update 14 to Update 16.  We have two errors that are occuring, because of the reference to Bouncy Castle, one of them looks like the CFMAIL error  that others experieneced, however clearing the felix-cache and restarting the instances did not work for us.  In both cases, we are using encryption keys and the code base hasn't changed and worked previously on Update 14.1) trouble with <cfftp><cfftp action="open" server="sftp.********.com" port="22" username="********" key="C:\********\privateKey.ppk" passphrase="********" secure="yes" connection="connFTP" /> This call is now returning the following error message.structCause'argon2' is required, but it is not available.DetailVerify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: 'a

Hi, all. I'm doing an update soon to include a hotfix that references this JVM flag. I'm not a Java guy, so please excuse the question if it is ridiculous, Everywhere I read about this flag on the Web, the purpose is stated something like this: "...this flag prevents ColdFusion from executing pre-compiled CFML code (Java bytecode) at runtime." This confuses me, because ColdFusion works by executing precompiled Java bytecode at runtime, right? It would be very inefficient if it did not. A Google search for the flag indicates such bytecode is in "older" code, but CF's uses precompilation to this day. I've already installed the hotfix on a dev server and my code still works, even when "save class files" is turned on in the CF admin, so I'm guessing this JVM flag only applies to a different kind of precompiled java bytecode. If so, what kind? How might I determine whether there is any of this Java bytecode present in my (large, inherited) application? Thanks!

Did anyone hear anything from CF Team about this ? https://www.cve.org/CVERecord?id=CVE-2025-66516 Resolution suggests updating files to version 3.2.2 from 1.2.x found in CF. Posting here as its flagged critical ? is anyone else also seeing this.

I'd like to restrict Jetty access to the server itself only (CF2021).  I need to do this because the port, 8993, is coming up on a security scan.  I can't use Windows Firewall to block the port (it's complicated, but long story short, it's not an option). I have found two places to do this, I think: [cf]\cfusion\jetty\start.ini## Connector host/address to bind to # jetty.http.host=0.0.0.0 ## Connector port to listen on jetty.http.port=8993I'd change the 2nd line to jetty.http.host=127.0.0.1.  Would this cause any problems?  I did this in my test environment and the server seemed fine.  We don't use Solr; we do use PDF generation, and PDFs still generated after I made this change. [cf]\cfusion\jetty\etc\jetty-ipaccess.xml<Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="insertHandler"> <Arg> <New id="IPAccessHandler" class="org.eclipse.jetty.server.handler.IPAccessHandler