!! AGAIN !! CF security update APSB25-69 emptying pathfilter.json

Report · Jul 09, 2025

After applying latest security update the file pathfilter.json is totaly empty!
Result: logfiles defined in scheduled tasks cannot be written.
The message is:

"Warning","main","07/09/25","08:55:31","","The specified path: D:/ScheduleLogs/solr_index_documentatie_website_DEV.html is not allowed for scheduled tasks.
To allow it, whitelist the path in cf-root/lib/pathfilter.json against key schedulerexecutionpaths. "
IMHO: Totaly disappointing and unacceptable

Report · Jul 09, 2025

@TuesdayM Once the update is installed, backup of your pathfilter.json file will be placed here <cf_instance>\hf-updates\hf-2025-00003-331507\backup\lib

For now, you could pick the file from backup and place it in lib and restart ColdFusion server

Report · Jul 09, 2025

While I can confirm the problem Tuesday has observed, and I appreciate the workaround Megha has offered, that is not the correct long-term solution for this.

First though, to be clear, it's not that the pathfilter.json is ""totaly empty" but rather reset to its properties having empty values. But either way, the consequence is that after the update any existing scheduled tasks (or system probes) which "publish"/save output to a file are REMOVED on the startup which happens after the update. (And those are NOT so easily recovered, as the single neo-cron.bak is soon overwritten.)

And while the technote for this update and the previous one do warn folks (in a "known issue" bullet) to backup the neo-cron.xml before doing the update, many will miss that step and lose their tasks--with the frustration Tuesday here has shared, specifically when they DID modify the pathfilter.json, intending to PREVENT this loss of tasks.

The correct solution is that the update simply should NOT overwrite the pathfilter.json if it exists. Megha, it's not clear if you're saying you all acknowledge this and plan to change it. Sadly, even if it's fixed in some later update, this problem will bite people for weeks or even months to come, until then.

(One more thing: if a future need to replace the file is because of a need to change the layout of the file--such as to add a new path setting, there should instead be a mechanism buiit into the update to fold the current values of any existing file into that new format.)

Megha, let us know if a bug report or feature request needs to be filed to get the update to NOT overwrite the file, if present.

/Charlie (troubleshooter, carehart. org)

Report · Jul 09, 2025

Hi Megha - thanks for your quick reply and workaround - we already replaced the file with a backup.
*
Thanks a lot Charlie for your elborate reply. You are right: the correct solution is that the update simply should NOT overwrite the pathfilter.json if it exists. BTW: the issue came up already in the previous CF 2023 update. Hopefully Adobe will fix this issue. Kind regards.

Report · Jul 09, 2025

Thanks for the update and kind regards.

As for the previous update, well, technically that's the update which INTRODUCED the pathfilter.json file--replacing the simpler pathfilter.txt (controlling only bytecode execution path whitelisting) with the more flexible json file (supporting now also this scheduled task output path whitelisting).

So yes, the latter replaced the former. And yes, that new json file again had no values for these two paths. So it was LIKE this problem, but not really the SAME problem, with regard to scheduled tasks. 🙂

Not being argumentative: just trying to be precise, so as to help everyone finding this who may be wanting to understand it all.

/Charlie (troubleshooter, carehart. org)

Report · Jul 09, 2025

@Charlie Arehart I have created an internal ticket and we are tracking the issue through it.

This should be fixed in upcoming update

Report · Jul 11, 2025

Path is case sensitive.

Report · Aug 28, 2025

Updated CF2023 from U14 to U15 today and can report an improvement in the scheduled tasks upgrade handling. The pathfilter.json entries that write to output file were not deleted, instead they are now highlighted in red in the Scheduled Tasks admin page. I updated the pathfilter.json with my allowed paths, restarted CF and all is well.

Report · Aug 28, 2025

Since this awful forum software won't let me edit my own posts, a correction to the above:

The Scheduled Task entries that write to output file were not deleted, instead they are now highlighted in red in the Scheduled Tasks admin page.

Report · Aug 28, 2025

Good to point out, though of course this thread is about how the problem in this (July) update which sadly REMOVED any previous pathfilter.json (replacing it with a essentially empty default file). You don't mention experiencing that.

Indeed, you say "I updated the pathfilter.json with my allowed paths, restarted CF and all is well." Perhaps you're saying you were aware of the problem (and were prepared for it), which is indeed good news. 🙂

And then maybe you're just wanting to let folks know how the problem of the PREVIOUS update is fixed (the message you're seeing, and the tasks no longer being deleted during startup). Indeed it is. 🙂 And it's mentioned in the update technote, under "bugs fixed", but not with the clarity you've offered. That will help others who may find the thread. Thanks.

/Charlie (troubleshooter, carehart. org)

Report · Aug 28, 2025

Charlie,

Updating from U14 to U15, the pathfilter.json was indeed reset to default (with empty paths). But I was glad to see the scheduled tasks on admin page were not deleted and instead highlighted with red bars to give a signal that something was not correct.

Report · Aug 28, 2025

Thx for the confirmation.

/Charlie (troubleshooter, carehart. org)

!! AGAIN !! CF security update APSB25-69 emptying pathfilter.json

1 Correct answer