Announcing ColdFusion updates released July 8 2025: p1 security update and more
An update for ColdFusion has been released, July 8 2025, for each of cf2025 (update 3), cf2023 (update 15) and cf2021 (update 21). In brief, it addresses a number of P1 (Priority 1, "Critical") security vulnerabilities and more, including bug fixes and some modest feature changes.
As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (more than one), and some that I share below based on my experience helping people apply this and past updates. Finally, the update corrects some issues introduced in the previous updates, released in May.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.
I updated our servers this morning, and everytime I try and send an email now, it results in a 500 Server Error.
Stop Coldfusion
Delete the Felix cache folder (cfusion/bin/felix-cache)
Restart Coldfusion
This will resolve your issue.
I'll point out to you both (and all readers) that I DID cover this clearing of the felix-cache in my section above, "A few other topics generic to recent CF updates, which you may want to consider", where I explained that while this update
s technote does not SAY to do it, it HAS often been the solution to some problems--which not EVERYONE may necessarily experience.
And that's also why I just say to do it as a matter of good practice: as I concluded, "there's no reason NOT to".
If this specific mail issue does prove to be rather universal, I'll update the post to reflect that. For now, these comments should help (those who don't heed my own recommendation about it).
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-21.html
bcmail-jdk15on-153.jar (is missing now)
First, good to see Adobe added that as a known issue...but it's odd that it's listed only on the technote for cf2021...not cf2025 or 2023. I have asked Adobe directly about that.
Finally Kevin, given that, and when you say 2025 is removing the required jar, what is that? FWIW, there IS an indication (in the 2025 update technote alone) that "The jar file `xlsx-streamer-2.1.0.jar` has been removed and replaced with `excel-streaming-reader-5.0.4.jar`." But I don't think that's what you're referring to, since it clearly has nothing to do with mail.
I'm thinking you're referring to something maybe you saw in your logs? What jar was it?
Let me do some exploring (or perhaps others will and will get back to us).
Here's the full error - I tried updating bcprov-jdk15on-153.jar to a newer version but that seemed to make things error even more. I ended up just rolling back the update for now.
java.lang.VerifyError:
Bad type on operand stack
Exception Details:
Location:
coldfusion/mail/mod/MailImpl.signMail(Ljavax/mail/internet/MimeMessage;Ljavax/mail/Session;)
Ljavax/mail/internet/MimeMessage; @238: invokevirtual
Reason:
Type 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' (current frame, stack[1]) is not assignable to 'org/bouncycastle/asn1/ASN1Encodable'
Current Frame:
bci: @238
flags: { }
locals: { 'coldfusion/mail/mod/MailImpl', 'javax/mail/internet/MimeMessage', 'javax/mail/Session', 'java/security/KeyStore', '[Ljava/security/cert/Certificate;', 'java/security/PrivateKey', 'org/bouncycastle/asn1/ASN1EncodableVector', 'java/security/cert/X509Certificate', 'java/lang/String', 'org/bouncycastle/asn1/cms/IssuerAndSerialNumber' }
stack: { 'org/bouncycastle/asn1/ASN1EncodableVector', 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' }
It now discusses the need (and details how to) delete the felix-cache (something I also warned of originally in the post.) And yes, I will also update my post to note this addition to the "known issues" in the technote)--for the sake of those who don't read the technotes...or all the comments here. :-)
And I've already updated the post about the new "known issue".
https://tracker.adobe.com/#/view/CF-4227376
The gist:
We're all aware of the expected behavior if you attempt to call a remote cfc method with required parameters without including all of the required parameters in your call. However, it appears that Adobe potentially has moved WHEN THAT VALIDATION OCCURS in the request process. It used to occur after onRequestStart() (verifiable with my aforementioned sample app) which would allow you to do some query_string/url scope manipulation prior to that validation. Now? Not so.
I discovered this when trying to run a page that has the cfencode tag and receiving an error. The application.log file showed the following error and solution: ""ColdFusion no longer supports files encoded with cfencode. You can re-enable it by adding the JVM flag -Dcoldfusion.cfencode.decryption.enable=true to jvm.config ..."
Work around: add -Dcoldfusion.cfencode.decryption.enable=true to the JVM arguments and restart ColdFusion Application services.
Of course, I've already rewritten parts of our app as it was the lesser evil than being more than 2 months behind on security updates.
Either way, I'll take it.
First, have you tried stopping CF, deleting the cfusion/bin/felix-cache, then starting CF? That's been a frequent solution in recent updates to such unusual situations.
Next, would this simple 2-line demo represent what you mean?
<cfset totalInvoiceAdjustments="75.00">
<cfoutput>#Numberformat(totalInvoiceAdjustments,"________.__")#</cfoutput>
If so, I have setup a demo of that running at cffiddle.org (Adobe's online CFML demo area), which you or anyone can run--and you'll see it works just fine:
https://cffiddle.org/app/file?filepath=ce40279c-c707-4b7c-963f-c91041ed29b6/27fdaa23-5e00-4585-bf7f-03fc9fb3e2a0/3d71850f-bb66-40c3-b29e-cc26114207e3.cfm
Note that UI allows one to run that or most any code against the current latest update of CF2025, 2023, and 2021.
Does that simple code work for you, if you drop it into a little test page (even before clearing the felix-cache? then does it work after that)?
BTW, you refer to update 15 of CF2025, but its latest is 4 so I'll assume you meant CF2023. And to be clear, this post of mine you're commenting on is indeed about the July CF update (which was 15 for 2023, and 3 for 2025). As you may know, there was another update in Oct (update 16 for 2023 and update 4 for 2025).
But to be clear I did even test that code against my own local running CF2023 at this older update 15 you refer to, and it works there (and in update 16, of course).
So again, if my little test code example DOES represent what you are trying, and if you run it locally and it DOES fail, then please do try my initial suggestion of clearing the felix-cache folder.
If that allows that test page (and your real app) to get past this problem, it's just one of those oddities which can sometimes arise, uniquely for some people, which is why I say in my post that EVERYONE should ALWAYS do that step after EVERY update. :-)
Please let us know what you think/how things go.
<cfset totalInvoiceAdjustments=75.00>
Vicki, again if somehow even that doesn't represent however your own code had set that totalInvoiceAdjustments var, let us know.
1) So first, yep I'd missed that that was conveying that the value was seemingly "- 75" (both negative and with a space). And yes, if I change my demo to this:
<cfset totalInvoiceAdjustments="- 75">
then I DO get that error you report (unless you change the numberformat)....
2) But note that I find that code now fails on ALL CF versions, even back to even CF10!
While cffiddle.org doesn't let you run anything earlier than CF2021, note that trycf.com does go back to CF10 (or lucee, etc.). But I'm saying that when I tried the code with that value, it failed on each CF version (and lucee, FWIW).
Here's a link to it running there, on cf2016 (and you can change the engine version using the gear at the bottom right of the page):
https://www.trycf.com/gist/84f361cadd8d83933f6ec2f9ced0732c/acf2016?theme=monokai
We could ask, "What were you running before 'applying Update 15 to ColdFusion 2023'? A previous update of CF2023?" But again since I don't find my demo above working on ANY previous CF version, I really don't think it's about the update.
3) The problem may well be that our little demo is not properly recreating whatever your code is really doing (when it "works" for you and doesn't show an error). That's key to understanding and resolving it, of course.
3a) Do you happen to still have whatever CF version let your code run ok before? If so, could you take my sample code and run it there?
If it does still fail (like everywhere else), then that means it's not properly representing what "works" for you.
4) FWIW, I tried it with the value NOT quoted, but with the space between the - and the number, as this:
<cfset totalInvoiceAdjustments=- 75>
And that DID work...on all CF versions (without need to change that numberformat), producing as its output:
- 75.00
Could that be a clue? Could it be that your real code somehow went from not quoting to quoting the value? That's just a guess.
5) If you think of something else to tweak, please do consider using cffiddle.org so you can demo it as a standalone thing OUTSIDE your environment. (And note that in the trycf.com code, I added a line to output the current CF version, in case that may help you to know what your OLD CF was running, including the update version.)
6) One other thought: as you may try to diagnose things, have you output the value of the variable in your totalInvoiceAdjustments variable, before it fails (perhaps with a cfabort before the numberformat, to preevent the error?) That would allow you to confirm the var hold what you expect--and ONLY what you expect?
Indeed, beware it may somehow have special characters you're not seeing in the browser. You might see them better with CF's htmlcodeformat function:
totalInvoiceAdjustments=#htmlcodeformat(totalInvoiceAdjustments)#
7) Back to my asking what update you were on before this one, once we know that it could be a clue as to there perhaps being a connection to any of the many changes that have happened in recent updates. Maybe they somehow are causing code (that we're not considering) to CHANGE the value the ends up in that var, so that it ends up quoted when perhaps before it was not. That's just a guess--since the non-quoted demo works.
8) Apologies to everyone following along, for whom this may seem something not related to the update discussed in the blog post, after all. Only time will tell.
Vicki, I thought about writing you privately (I see the email address people enter, but no one else does). But I wanted to let everyone know at least what I found above, to save anyone the effort who may have been tempted to kindly test things also.
If you don't resolve things, how about emailing me directly, you can (charlie at carehart.org). Once we resolve or better understand things we can update folks here. :-)
And I hope the above may help anyone who read to this point, even if in diagnosing other problems. :-)