NOW LIVE! ColdFusion 2025, 2023, and 2021 September security updates

Report · Sep 09, 2025

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

The updates address an important security fix related to critical path traversal.

View the security bulletin, APSB25-93, for more information.

Download the updates

Docker and CFFiddle

CFFiddle is now updated with the changes
The Docker images are also updated:
- Docker Hub - ColdFusion Images
- Amazon ECR - ColdFusion Images

Please download and apply the updates and provide your feedback.

Report · Sep 10, 2025

There's still something wrong here -- it's still not sending emails, though now I'm not getting the error outright.

I'm rolling back to 21 and will wait to move to 22 until the bugs are flushed out.

Report · Sep 10, 2025

Did you try clearing the felix-cache? Though not indicated for this update, it was often needed to solve mail problems in the previous one--which suggested that after the update, one should stop cf, delete the cfusion/bin/felix-cache folder, then restart cf, which would recreate the folder and what goes in it. (And if you're running multiple instances, delete [instancename]/bin/felix-cache. )

I realize this suggestion may be too late for you if you've uninstalled the update. I leave it then for others.

/Charlie (troubleshooter, carehart. org)

Report · Sep 10, 2025

Hi Charlie,

I cleared both the felix-cache and cfclasses, too. No dice. So I rolled back...and I still had the mail issue ("Cannot find implementation class coldfusion.tagext.mail.MailTag for the mail tag."). So I rolled back to update 18...and still had the mail issue. 😞

So what did I do? I patched it, manually using java.exe, forward to Update 22. And now everything seems to be OK.

I have to tell you, I loathe doing updates for CF. Why does it has to be so difficult?

Report · Sep 10, 2025

Sadly, you could be howling at the wind here. The troubles happen to many (but again, not everyone), and those who suffer can certainly commiserate here--but there's no assurance Adobe will hear your complaint here.

Better to file a bug report at tracker.adobe.com (I suspect many have, about such update issues), or complain directly to cfsup@adobe.com (perhaps only to be told "the developers are investigating" this problem... though they DO fix many.)

Indeed, I'll note that Adobe DID say after the last update that the problem related to mail (the one fixed by clearing the felix-cache) was to be fixed in the "next" update. Since THIS one was an urgent security fix, no bug fixes were included. Perhaps the NEXT one will improve things.

If things don't improve with these various update issues, I'm sure some may well vote with their feet.

Until then (or otherwise), I and others (including some from Adobe) are here to try to help.

/Charlie (troubleshooter, carehart. org)

Report · Sep 10, 2025

Thanks, Charlie. As always, I'm super appreciative of your posts here. Seems like whenever I update manually using java, I have less issues, so I'm just going to do that going forward.

Report · Sep 10, 2025

And thank you for the kind regards. Again, some find that to be true--and there are a couple of situations where it's the best option--certainly an offline manual update, or also when the user for the cf service is not the system account (on windows) or root (on Linux) and so can't cause stop/start of the cf service to do the cf update.

But your issue seems to be about packages, and I'll just say I've not yet once had to do a manual update to solve that sort of problem. Not negating your experience, just sharing mine--that it's always better or necessary to do a manual (java -jar) update.

/Charlie (troubleshooter, carehart. org)