Skip to main content
scorch_007
scorch_007
December 19, 2025
Answered

CF 2023 Update 17 - ColdFusion serialfilter file

  • December 19, 2025
  • 2 replies
  • 611 views

I'm having the same issue as detailed in this post:

https://community.adobe.com/t5/coldfusion-discussions/connection-verification-failed-for-data-source-xxxx-jdbc-java-sql-sqlexception/m-p/15635408?search-action-id=799686186822&search-result-uid=15635408

 

I'm getting the same error after install Update 17:

"Due to security reasons, oracle.sql.converter.CharacterConverter1Byte is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization."

 

So following the solution that was provided in the other community post, I updated <cf_home>/lib/cfserialfilter.txt (I have multiple instances). It now reads as follows:

java.util.Locale;
java.util.Collections$EmptySet;
java.util.HashMap;
coldfusion.server.ConfigMap;
coldfusion.util.FastHashtable;
coldfusion.saml.SpConfiguration;
coldfusion.saml.IdpConfiguration;
coldfusion.runtime.CaseSensitiveStruct;
coldfusion.scheduling.mod.ScheduleTagData;
coldfusion.runtime.ArgumentCollection;
coldfusion.util.CaseInsensitiveMap;
coldfusion.runtime.AttributeCollection;
coldfusion.sql.QueryTable;
coldfusion.archivedeploy.Archive;
coldfusion.scheduling.ScheduleTagData;
oracle.sql.converter.*;

(These entries were verified against: https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html)

 

For some reason, the change doesn't make any difference. I'm still seeing the error when accessing the CF Application. I verified that during startup the CF instance is reading the <cf_home>/lib/cfserialfilter.txt file.

 

I looked through my <cf_home>/bin/jvm.config and I do not have the jdk.serialFilter flag set.

 

I also tried appending "oracle.sql.converter.*;" to the cfusion/lib/cfserialfilter.txt file to and restarting the server. Still didn't work.

 

It seems like this should be a simple fix but I must be missing something. Any ideas?

      Correct answer Charlie Arehart

      Scorch, I think I see what is your mistake: it seems you've added the needed values to the wrong file.

       

      1) Look carefully at that error message, which had said, "Add the class/package in the file cfusion/lib/serialfilter.txt". But instead you say here that "I updated <cf_home>/lib/cfserialfilter.txt". Note the difference of the "cf" in front of the one you say you changed.

       

      Please add the line to the one file and also REMOVE it from the other. Then let us know how things go.

       

      2) BTW, the doc page you linked to does also distinguish the two files, with its first section on serialfilter.txt and its second on cfserialfilter.txt. Even so, I am notifying Adobe to suggest that they could make that distinction more clear at the top of that doc--and that it would help to offer also the default value of the former, like they do for the latter.

       

      3) Finally, as for the other forum thread here that you point to, I see now that it makes the same mistake. I will offer the same suggested correction there.

      2 replies

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity ExpertCorrect answer
      Community Expert
      December 21, 2025

      Scorch, I think I see what is your mistake: it seems you've added the needed values to the wrong file.

       

      1) Look carefully at that error message, which had said, "Add the class/package in the file cfusion/lib/serialfilter.txt". But instead you say here that "I updated <cf_home>/lib/cfserialfilter.txt". Note the difference of the "cf" in front of the one you say you changed.

       

      Please add the line to the one file and also REMOVE it from the other. Then let us know how things go.

       

      2) BTW, the doc page you linked to does also distinguish the two files, with its first section on serialfilter.txt and its second on cfserialfilter.txt. Even so, I am notifying Adobe to suggest that they could make that distinction more clear at the top of that doc--and that it would help to offer also the default value of the former, like they do for the latter.

       

      3) Finally, as for the other forum thread here that you point to, I see now that it makes the same mistake. I will offer the same suggested correction there.

      /Charlie (troubleshooter, carehart. org)
      scorch_007
      scorch_007Author
      December 22, 2025

      Thank you! That was indeed the problem. I kept thinking the cfserialfilter.txt was the one I should be concerned about (being CF and all). Thank you for catching my mistake and offering the clarification. All is working as expected now. 

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      December 22, 2025

      Great to hear and glad to have helped. Again, easy mistake to make, and this sort of situation is generally the best way to make such a distinction stick. 🙂 

      /Charlie (troubleshooter, carehart. org)
      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      December 21, 2025

      Hi @scorch_007 , the default contents of the serialfilter.txt file are:

      !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;

      So, in your case, I expected the contents of the serialfilter.txt file to be something like:

      oracle.sql.converter.**;!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;


      As you're using the serialfilter.txt file, you should not use the JVM flag -Djdk.serialFilter. For two reasons: firstly, the JVM flag is an alternative to the serialfilter.txt file; secondly, the JVM flag may even override the file. The flag is better suited to JEE (WAR or EAR) ColdFusion installations.

       

      There is a JVM flag relating to databases and to serialization that requires particular attention:

      -Dcoldfusion.datasource.blocked.properties=allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize

       

      As from ColdFusion 2023 Update 17 / ColdFusion 2025 Update 5, that flag has been renamed. The word "blocked" has been changed to "allowed". So the flag is now

      -Dcoldfusion.datasource.allowed.properties=allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize

       

        B
        Bardnet
        Inspiring
        January 7, 2026

        This is important information  Thank you. 

        I had to modify the serialfilter.txt in the lib folder of the instance to make it  work. 

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices