CF 2023 Update 17 - ColdFusion serialfilter file

Report · Dec 19, 2025

I'm having the same issue as detailed in this post:

https://community.adobe.com/t5/coldfusion-discussions/connection-verification-failed-for-data-source...

I'm getting the same error after install Update 17:

"Due to security reasons, oracle.sql.converter.CharacterConverter1Byte is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization."

So following the solution that was provided in the other community post, I updated <cf_home>/lib/cfserialfilter.txt (I have multiple instances). It now reads as follows:

java.util.Locale;
java.util.Collections$EmptySet;
java.util.HashMap;
coldfusion.server.ConfigMap;
coldfusion.util.FastHashtable;
coldfusion.saml.SpConfiguration;
coldfusion.saml.IdpConfiguration;
coldfusion.runtime.CaseSensitiveStruct;
coldfusion.scheduling.mod.ScheduleTagData;
coldfusion.runtime.ArgumentCollection;
coldfusion.util.CaseInsensitiveMap;
coldfusion.runtime.AttributeCollection;
coldfusion.sql.QueryTable;
coldfusion.archivedeploy.Archive;
coldfusion.scheduling.ScheduleTagData;
oracle.sql.converter.*;

(These entries were verified against: https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html)

For some reason, the change doesn't make any difference. I'm still seeing the error when accessing the CF Application. I verified that during startup the CF instance is reading the <cf_home>/lib/cfserialfilter.txt file.

I looked through my <cf_home>/bin/jvm.config and I do not have the jdk.serialFilter flag set.

I also tried appending "oracle.sql.converter.*;" to the cfusion/lib/cfserialfilter.txt file to and restarting the server. Still didn't work.

It seems like this should be a simple fix but I must be missing something. Any ideas?

Report · Dec 21, 2025

Hi @scorch_007 , the default contents of the serialfilter.txt file are:

!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;

So, in your case, I expected the contents of the serialfilter.txt file to be something like:

oracle.sql.converter.**;!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;

As you're using the serialfilter.txt file, you should not use the JVM flag -Djdk.serialFilter. For two reasons: firstly, the JVM flag is an alternative to the serialfilter.txt file; secondly, the JVM flag may even override the file. The flag is better suited to JEE (WAR or EAR) ColdFusion installations.

There is a JVM flag relating to databases and to serialization that requires particular attention:

-Dcoldfusion.datasource.blocked.properties=allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize

As from ColdFusion 2023 Update 17 / ColdFusion 2025 Update 5, that flag has been renamed. The word "blocked" has been changed to "allowed". So the flag is now

-Dcoldfusion.datasource.allowed.properties=allowLoadLocalInfile,allowUrlInLocalInfile,autoDeserialize

Report · Jan 07, 2026

This is important information Thank you.

I had to modify the serialfilter.txt in the lib folder of the instance to make it work.

Report · Dec 21, 2025

Scorch, I think I see what is your mistake: it seems you've added the needed values to the wrong file.

1) Look carefully at that error message, which had said, "Add the class/package in the file cfusion/lib/serialfilter.txt". But instead you say here that "I updated <cf_home>/lib/cfserialfilter.txt". Note the difference of the "cf" in front of the one you say you changed.

Please add the line to the one file and also REMOVE it from the other. Then let us know how things go.

2) BTW, the doc page you linked to does also distinguish the two files, with its first section on serialfilter.txt and its second on cfserialfilter.txt. Even so, I am notifying Adobe to suggest that they could make that distinction more clear at the top of that doc--and that it would help to offer also the default value of the former, like they do for the latter.

3) Finally, as for the other forum thread here that you point to, I see now that it makes the same mistake. I will offer the same suggested correction there.

/Charlie (troubleshooter, carehart. org)

Report · Dec 21, 2025

Thank you! That was indeed the problem. I kept thinking the cfserialfilter.txt was the one I should be concerned about (being CF and all). Thank you for catching my mistake and offering the clarification. All is working as expected now.

Report · Dec 22, 2025

Great to hear and glad to have helped. Again, easy mistake to make, and this sort of situation is generally the best way to make such a distinction stick. 🙂

/Charlie (troubleshooter, carehart. org)

Report · Dec 22, 2025

Thanks, Charlie. That was indeed an oversight. I have changed the file-name to serialfilter.txt.

Report · Dec 22, 2025

Good to hear--but note that while you changed the first reference you left the second by mistake. (I only press the point because some may well see that reply before the others and try to follow it.)

/Charlie (troubleshooter, carehart. org)

Report · Dec 22, 2025

Cheers, Charlie.

CF 2023 Update 17 - ColdFusion serialfilter file

1 Correct answer