Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
December 9, 2025
Question

NOW LIVE! ColdFusion 2025, 2023, and 2021 December security updates

  • December 9, 2025
  • 3 replies
  • 1433 views

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

End of core support for ColdFusion 2021 update release

Adobe ColdFusion (2021 release) Update 23 marks the end of core support for ColdFusion 2021 update releases.

Adobe ColdFusion (2021 release) Update 23 is the final update, as this version reached its end of core support on November 10, 2025. After this update, no further core updates will be provided for this version.

 

What's new and changed

The updates includes important security fixes that mitigate vulnerabilities related to arbitrary file system write, arbitrary file system read, arbitrary code execution, and security feature bypass. The updates also include:

  • New JVM flags
  • Changes to serialfilter
  • CAR migration changes
  • Tomcat upgrade
  • Bug fixes and known issues

 

View the tech notes and security bulletin, APSB25-105, for more information.

 

Download the updates

 

Docker and CFFiddle

 

Please download and apply the updates and provide your feedback.

      3 replies

      W
      w49369461
      Participating Frequently
      December 16, 2025

      We are seeing the following error in 2021 HF 23:

       

      Due to security reasons, coldfusion.scheduling.ScheduleTagData is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization.

       

      Accoring to the docs - https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html

       

      coldfusion.scheduling.ScheduleTagData; is a default allowed package.

       

      "By default, the packages that ColdFusion allows for Wddx deserialization are:"

       

      java.util.Locale;
java.util.Collections$EmptySet;
java.util.HashMap;
coldfusion.server.ConfigMap;
coldfusion.util.FastHashtable;
coldfusion.saml.SpConfiguration;
coldfusion.saml.IdpConfiguration;
coldfusion.runtime.CaseSensitiveStruct;
coldfusion.scheduling.mod.ScheduleTagData;
coldfusion.runtime.ArgumentCollection;
coldfusion.util.CaseInsensitiveMap;
coldfusion.runtime.AttributeCollection;
coldfusion.sql.QueryTable;
coldfusion.archivedeploy.Archive;
coldfusion.scheduling.ScheduleTagData;
coldfusion.osgi.to.ScheduleTagTO;

       

       

       

      Why are we getting this error?


      As a result, clustered tasks are not working.

       

      If we add the class to the serialfilter.txt (not cfserialfilter.txt - its already in this file) the issue is resolved. I assume this issue is a bug?

      P
      pauls67473543
      December 18, 2025

      Since applying the updates (both 23 on CF2021 standard and 5 on CF2025 standard) I'm unable to connect to oracle data sources using a jdbc connection (I get an error java.sql.SQLException: Index -1 out of bounds for length 0). Is there a way I can fix this? I've rolled back the security update on both servers and the issue went away, but that's not a fix. Thanks 

      S
      Adobe Employee
      satyam-mishra
      Adobe Employee
      December 19, 2025

      @pauls67473543 
      you can add some more informations; logs 

      C
      cf_john
      Participant
      December 12, 2025

      What is the syntax for referring to files for `car.associatedfiles` in pathfilter.json? Could you share an example of a completed pathfilter.json with multiple whilelisted .car files?

       

      H
      Adobe Employee
      hannah18
      Adobe Employee
      December 19, 2025

      Hi,
      To allow a specific path for CAR deployment, use the deploypath setting.
      To allow associated files to be included in CAR files, use associatedfiles.
      Below is the pathfilter.json contents where test.car and test2.car are allowed to be deployed:

      {
    "comments": "paths should be semi-colon seperated. To Allow a file: {path-of-file}; To Allow a directory & files in it: {path-to-directory}/*; To Allow a directory & sub-directories: {path-to-directory}/**; To Block a file: !{path-of-file}; To Block a directory & sub-directories: !{path-to-directory}/**; Precedence decreases from left to right. Suppose directory A has directory B & C inside it.To Allow B & Block C: !A/C/*;A/**;",
        
    "bytecodeexecutionpaths": "",
        
    "schedulerexecutionpaths": "",

    "car": {
        "deploypath": "/opt/coldfusion/cfusion/packages/test.car;/opt/coldfusion/cfusion/packages/test2.car;",
        "associatedfiles": ""
    }
}

      If you want to allow an entire folder along with all its subfolders, you can use:

      /opt/coldfusion/cfusion/package/**

       

      Thanks,

      Rochelle

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      December 10, 2025

      Thanks Saurav. And readers may be interested to hear that I did a post with more about the update (as I try to do for each update, pointing to this one and other resources as well as offering lots more info to help folks applying the update).

       

      Additionally, if anyone seeing this applied the update and then found that the CF Admin stopped working, I’ll note that it’s a problem that some folks (myself included) experienced with CF2023 when doing the update yesterday. Technically, it's a problem that can happen with the other versions and other CF updates, where the issue is that administrator package and indeed all updated packages are unexpectedly uninstalled during the first startup but then not updated/reinstalled.

       

      Some good news first is that there’s a solution for the problem if it happened/happens to you. Then second the problem didn’t happen in an update I did to CF2023 later/that night. So I attribute the problem to being some sort of caching issue (somewhere between my CF instance and the Adobe server sending the bundledependency.json file, which I found was lacking the updated package info).

       

      Again, this problem has happened to others with previous CF updates, and it could happen in the future, perhaps especially to those who try to implement the update on the first day of its release. (It doesn’t ALWAYS happen–and indeed it did not happen when I updated cf2025 before that, and cf2021.)

       

      Anyway, if you’re interested in hearing more about the issue (including how to diagnose and resolve it), see my post on that, which followed the one above. And try to keep it in mind if you apply a future update on the first day or two, and find that updated packages are unexpectedly uninstalled after doing the update. (This is not to discourage you doing the update the first day--just info to be aware of, and an explanation of what may happen and how to recover.) 

      /Charlie (troubleshooter, carehart. org)
        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices