Announcing ColdFusion updates released July 8 2025: p1 security update and more
An update for ColdFusion has been released, July 8 2025, for each of cf2025 (update 3), cf2023 (update 15) and cf2021 (update 21). In brief, it addresses a number of P1 (Priority 1, "Critical") security vulnerabilities and more, including bug fixes and some modest feature changes.
As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (more than one), and some that I share below based on my experience helping people apply this and past updates. Finally, the update corrects some issues introduced in the previous updates, released in May.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.
I updated our servers this morning, and everytime I try and send an email now, it results in a 500 Server Error.
Stop Coldfusion
Delete the Felix cache folder (cfusion/bin/felix-cache)
Restart Coldfusion
This will resolve your issue.
I'll point out to you both (and all readers) that I DID cover this clearing of the felix-cache in my section above, "A few other topics generic to recent CF updates, which you may want to consider", where I explained that while this update
s technote does not SAY to do it, it HAS often been the solution to some problems--which not EVERYONE may necessarily experience.
And that's also why I just say to do it as a matter of good practice: as I concluded, "there's no reason NOT to".
If this specific mail issue does prove to be rather universal, I'll update the post to reflect that. For now, these comments should help (those who don't heed my own recommendation about it).
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-21.html
bcmail-jdk15on-153.jar (is missing now)
First, good to see Adobe added that as a known issue...but it's odd that it's listed only on the technote for cf2021...not cf2025 or 2023. I have asked Adobe directly about that.
Finally Kevin, given that, and when you say 2025 is removing the required jar, what is that? FWIW, there IS an indication (in the 2025 update technote alone) that "The jar file `xlsx-streamer-2.1.0.jar` has been removed and replaced with `excel-streaming-reader-5.0.4.jar`." But I don't think that's what you're referring to, since it clearly has nothing to do with mail.
I'm thinking you're referring to something maybe you saw in your logs? What jar was it?
Let me do some exploring (or perhaps others will and will get back to us).