cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

CF2023, Update 17 Questions

Dordrecht
Participant ,
Dec 30, 2025 Dec 30, 2025

Sorry to be posting questions so frequetly...

 

With CF2023 update 17 comes a few new questions. The related note says, "From this update, ColdFusion blocks all class deserialization by default... Classes not on this allowlist are blocked, and an error is logged advising you to add the relevant class or package to serialfilter.txt if you wish to allow it." Oddly, the destination linked-to in the description of "Serialfilter" from that page says "From Update 5 onwards... 

ColdFusion blocks all class deserialization by default." If the change was implemented in Update 5, then how does update 17 differ?

 

My bigger question is this...  Not being a Java coder, and assuming Adobe doesn't expect CF coders to know what Java deserialization is, I need to ask, are there Java classes that do not "deserialize"? I have a .jar file in cfusion\wwwroot\WEB-INF\lib. With update 17 installed, the class performs fine with no updates to serialfilter.txt. Can I assume that it doesn't error because it doesn't "deserialize"?

 

Is there a way to proactively search our codebase for classes that deserialize? I would think this would be preferrable to a "run your code and fix whatever breaks" methodology.

261
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Brian__
Explorer , Dec 30, 2025 Dec 30, 2025

Hi @Dordrecht ,

 

The "Update 5" in the Serialfilter documentation you link to refers to ColdFusion 2025 Update 5.  That's the CF2025 update that corresponds with ColdFuson 2023 Update 17, which were both released with Adobe Product Secuirty Bulletin APSB25-105.

 

Yup -  there are lots of Java classes that don't "deserialize".  If you're adding your own Java libraries to ColdFusion, you could start by reviewing your Java code for calls to readObject() and writeObject().  And while it would be reacti

...
Translate
replies 3 Replies 3
latest latest Jump to latest reply
Brian__
Explorer ,
Dec 30, 2025 Dec 30, 2025

Hi @Dordrecht ,

 

The "Update 5" in the Serialfilter documentation you link to refers to ColdFusion 2025 Update 5.  That's the CF2025 update that corresponds with ColdFuson 2023 Update 17, which were both released with Adobe Product Secuirty Bulletin APSB25-105.

 

Yup -  there are lots of Java classes that don't "deserialize".  If you're adding your own Java libraries to ColdFusion, you could start by reviewing your Java code for calls to readObject() and writeObject().  And while it would be reactive, your best bet might be to just watch the server.log, exception.log and wddx.log log files (outlined in the Serialfilter doc) for blocked occurances of deserialization.

 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dordrecht
Participant ,
Dec 30, 2025 Dec 30, 2025
In Response To Brian__

Thank you, @Brian__ !

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Dec 31, 2025 Dec 31, 2025
LATEST

@Brian__  has answered the original questions. I have some addtional answers. 

The Java classes that commonly involve deserialization are any classes that:

  • implement java.io.Serializable, or
  • are read by means of ObjectInputStream.readObject().

 

Common examples are:

  • java.util.HashMap
  • java.util.ArrayList
  • java.util.LinkedList
  • java.util.Date
  • java.math.BigDecimal
  • java.lang.Exception (and subclasses)

 

These are already covered by Adobe ColdFusion's internal allow-list, so they'll rarely, if ever, cause issues by themselves. In fact, when you install or update ColdFusion, all the Java classes that it uses are included in its internal allow-list. So there's really no need to proactively search your codebase for classes that deserialize. Unless, as @Brian__ mentioned, there are error messages about serialization in the logs. 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices