In brief, this update (for all 3 versions) ad.dresses several P1 (Priority 1, "Critical") security vulnerabilities, and also updates Tomcat, along with updating several CF packages, and makes some other changes (see below). Note that Adobe is also reporting currently that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update. 

Having installed the update for each of the releases on multiple machines, I can report that it went well expect for this:

Warning: on CF2023, after applying the update, I and others have experiences that the CF Admin is inaccessible and packages that were updates are unexpectedly uninstalled. I will offer a follow-up post on that, including how to solve the problem (until Adobe does), and how to ensure your own manual efforts to solve it are complete.

Following are the topics discussed in this post:

• Finding the update (and finding more about it)
• Things to beware BEFORE doing the update
• What are the security issues addressed in the update?
• What's changed in the update?
• Improvements labeled as "bugs fixed" in this update
• "Known issues" that remain after the update, with workarounds
• Packages updated in this update
• Changes, as a result of any CF updates you may be skipping?
• How can you assess if the update went well?
• A few other topics generic to recent CF updates, which you may want to consider
• On getting help with the update(s)

I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing om multiple machines, I also take time to consider feedback shared in the community, or things I learn as I offered help to them and my own clients.

Finding the update (and finding more about it)

• The Adobe CF forums announcement of the update
• The Adobe CF portal announcement of the update

(There tends to be more "discussion" from community members in the forum announcement than the blog post, though not always.)

And those point to the very important technote available for each version:

• ColdFusion (2025 release) Update 5
• ColdFusion (2023 release) Update 17
• ColdFusion (2021 release) Update 23

Things to beware BEFORE doing the update

Before discussing the update further, and since some may see that info above and try to proceed (before reading what I share below), I want to share some more information that you should consider BEFORE doing the update.

Beware that if you'd modified the pathfilter.json file introduced in the May CF update, sadly that file will be overwritten

This first matter applies for all 3 CF versions. It started happening with the update in July, and it's still happening. Technically, it applies only to people who a) had applied the May or July CF update and then b) had modified the new pathfilter.json file introduced in that May update (see my post on that May update for more):

If you have added custom entries to the pathfilter.json file (in cfusion/lib or [instancename]/lib), used for whitelisting folders used for scheduled task output or using precompiled code, note that this file is REMOVED and replaced by an empty default version in the update. You must either:

• Back up the pathfilter.json file before applying the update, to restore it afterward
• Or restore it from the backup folder created by the update itself, after you apply the update.

The backup copy of the file can be found along with many (not all) other CF files that are backed up during updates, in the "hf-updates" subfolder created for the update you applied, where you'll find it in \backup\lib\pathfilter.json

One more thing to beware: this Dec 2025 update also adds a NEW section to that file (related to CAR file processing), so you can't simply restore your file over top of it. You should fold any changes you previously made into that new version of the file created with this update.

Those running CF2023 should beware a problem happening at least the first day of the update's release

Again, as I noted at the outside, there is a problem (at least the day of the release, and perhaps the next day) that's unique to those updating CF2023. I will have more to say in a separate blog post, which I will link to here once I post it. For now, if you're on CF2023, you may want to hold off applying the update until either you read my post (with an explanation and solution) or Adobe clarifies (in one of those resources above) that they have acknowledged and fixed the problem. 

What are the security issues addressed in the update?

Per the update's technote(s), the update's "includes important security fixes that mitigate vulnerabilities related to arbitrary file system write, arbitrary file system read, arbitrary code execution, and security feature bypass.".

If you read the Adobe Product Security Bulletin or APSB for this update, it indicates that it's a Priority 1 "Critical" update, addressing several vulns with CVSS scores as high as 9.1 out of 10--affecting equally all 3 CF versions that are being updated.

Again that tehcnote says as of the day of release that "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

You can read the bulletin for the boilerplate identification of the issues, and their Mitre CWE definitions, as well as the acknowledgements of who identifies/reports such vulns. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.

(BTW, as for the APSB's final section, "ColdFusion JDK Requirement" offering jvm args to be applied, that does NOT apply to most folks. Instead it's only for those who deploy CF via WAR or WAR files on JEE app servers.)

What's changed in the update?

If you read the resources I point to above (the forum thread, the blog post, and especially the technote for the update to each CF version), they discuss what's changed, at least in brief. The update technotes do offer more detail than the others, though generally still not a LOT of detail.

New JVM Flags

First, note that there are a few new/changed "JVM flags", meaning properties (settable in the CF Admin "Java and JVM" page or CF's jvm.config file) which can be used to effect changes to how CF operates, including mediating the effect of changes introduces with this update.

The new/updates flags are:

• -Dcoldfusion.websocket.selector.validation
• -Dcoldfusion.deserialization.safeguard.enabled
• -Dcoldfusion.pdf.ddx.allowExternalEntities
• Renamed -Dcoldfusion.datasource.blocked.properties to -Dcoldfusion.datasource.allowed.properties

See the link offered in the update technote to a page for each of CF2025 and CF2023/2021 with more details on these.

Change to serialfilter/ColdFusion blocks all class deserialization by default

Let me just quote the first of a few paragraphs in the update technote about this matter:

"From this update, ColdFusion blocks all class deserialization by default. ColdFusion applies a default?deny deserialization policy using an internal allowlist of classes required by the platform and the cfusion/lib/serialfilter.txt file, which you can edit to whitelist additional safe classes or packages. Classes not on this allowlist are blocked, and an error is logged advising you to add the relevant class or package to serialfilter.txt if you wish to allow it."

Please do see the update technote (for your respective CF version) for additional important details.

CAR migration changes: you must now whitelist paths related to car file creation/deployment

Again, see the update technote for more details: bottom line, if you use the CF admin CAR (ColdFusion Archive)  feature--for copying Admin settings from one CF instance to another--then you now must whitelist (in that pathfilter.json file discussed above) the location from which you will deploy such a CAR as well as any files within the CAR that you may associate with an export of a CAR.

Tomcat upgraded

For those who deploy CF via its installer (or zip install), which implements CF atop Tomcat, note that for CF2025, the Tomcat version is upgraded to Tomcat v10.1.48.0, while for CF2023 and 2021, it's upgraded to Tomcat v9.0.111.0

Packages updated in this update

Finally, as is the case with many (but not ALL CF updates), this update does include updates to a dozen of its packages:administrator, ccs, document, htmltopdf, pdf, presentation,  print, report, scheduler, search, spreadsheet, and websocket.

Note that there is also a table at the bottom of each technote indicating what packages were updated.

Improvements labeled as "bugs fixed" in this update

There are several bugs fixed with this update (nearly all are the same in all 3 versions). See the update technote for your version, in the section of "Bugs fixed in the update".

"Known issues" that remain after the update, with workarounds

The update technote for each of the versions indicates, "The cfpdf tag's archive action currently fails when targeting the PDF/A?2b standard", and it goes on to offer more on the matter and how to solve it. Note that while the CF2025 update technote currently says only to "add the necessary class/package in cfusion/lib/serialfilter.txt.", the technotes for the other two versions say more specifically, "As a workaround, allow java.io.Serializable in cfusion/lib/serialfilter.txt"

Changes, as a result of any CF updates you may be skipping

Of course, when we say that "these are the things changed per this update", it's important to note that this is referring specifically to THIS update--and it's presuming you are coming from the immediately preceding update.

If instead you are skipping that one or any before it, note that you MUST take into consideration whatever is indicated as having changed in that/those prior updates you're skipping.

The technote and Adobe resource pages about the update do offer a link to a page listing ALL updates for each CF version, to facilitate that effort.

Most important, perhaps, note that some CF updates introduce breaking changes (where Adobe is sacrificing compatibility for the sake of security). In those cases, they may identify (in the technotes) some new jvm arg which, if added to CF's startup args (like in the jvm.config file or the CF Admin "java & jvm" page), may revert that change of behavior (sacrificing that one security improvement for the sake of compatibility).

Again, see the update technotes for this update and any you may be skipping, to see if it may offer such a new JVM arg. And FWIW, I try to do a blog post on each of the CF updates, so you can look also at those for more info. Here's the link to my category of posts on most of the previous updates, where I tend to cover these important breaking changes and any jvm args.

Finally, note that Adobe has recently started to track in a separate page what those new jvm args are. There's one list for CF2025 and another for CF2023 and 2021. Sometimes these pages may say a bit more than the update technotes do, but rarely. See both.

How can you assess if the update went well?

When you apply a CF update, it's easy to think, "well, if CF came back up, I'm good". That's not true. There MAY have been an error during the update--or during the applying of package updates (which happen during the first startup of CF after the update).

1) Check the update log, both for success applying the update

When the update is finished (and CF is restarted), the update mechanism (a java process that CF launches to do the update) will write a log file to the cfusion/hf-updates folder, in the subfolder named for the update you just did (such as \ColdFusion2025\cfusion\hf-updates\hf-2025-00004-331512, which of course will vary for each update) And the log file will have a name like Adobe_ColdFusion_2025_Update_4_Install_09_09_2025_18_57_33.log, which again will vary for each update--but note that it includes the time of the update.

In that file, look at about line 70 which will show a table of "successes" and "fatalerrors" and "nonfatalerrors". You want to see 0 of the latter two. There is also a count of "warnings", but 1 or even a couple may be insignificant.

If there were errors, there can be any of many explanations. I covered some of the more common ones first in a blog post several years ago How to solve common problems with applying ColdFusion updates. See also a 2025 presentation I did, Solving Common Problems with CF Updates (PDF and recording offered there).

But before closing the log file, see the next section.

2) Check that same update log, for success in it downloading any package updates

New since CF2021, CF is now modular (based on OSGI) such that most CF features are organized info "packages" (or "modules") that you can choose to implement or not. And most CF updates (but not all) include some packages update/s.

As such, we also need to make sure such package updates go well when applying a CF update. And the first place to watch for is in that same update log from the previous section. See the bottom of the log, where it may report one or many packages (And related "jar" files) being downloaded (or it may report, "All the packages are already updated as per the current core update level.")

A key point to note is that it's NOT the CF update (tracked in this log) which PERFORMS the package update. Instead, it ONLY attempts to DOWNLOAD whatever packages will need to be updated. It's then on the next CF STARTUP (which happens automatically after a CF update) that any packages are updated.

To wit, the last (and equally important) thing to check is...

3) Check the coldfusion-out.log for success during UPDATING of any packages

The coldfusion-out.log tracks most of what happens during startup of CF (there is also information in the coldfusion-error.log: and of course if you run CF from the command line rather than as a service, the info normally sent to these files is sent to your console instead.)

So after performing a CF update, and assuming the update log indicated that there were package updates downloaded, you would look to the BOTTOM of the coldfusion-out.log (assuming CF just restarted), to observe the lines that discuss CF first "uninstalling" any packages (and related jars) that were updated. Then it will show that any implemented packages are "started" (it never shows it "installing" or "updating" the packages, per se). We want to watch for any errors that occur (well, pay attention especially to any which may not be happening on every CF startup.)

It could be several dozen or more lines which are written during CF startup, depending on a) the number of packages you've installed and b) how many needed to be updated. If you have trouble interpreting problems you see, see the final section here where I can help, remotely, and often nearly immediately.

A few other topics generic to recent CF updates, which you may want to consider

Before wrapping up, there are a few other matters that may interest you generally apply to ALL the updates.

You should strongly consider the suggestion to "delete the felix-cache"

The first is that while it's not mentioned in every update technote, there has been in the technotes for previous recent CF updates an indication that one should stop CF after the update and delete the cfusion/bin/felix-cache folder, then restart CF. There's no reason NOT to do this, and it HAS been known to fix issues that lingered after an update. (And repeat that step for any instances other than "cfusion" which you may have, if running CF Enterprise or the Developer or Trial edition.)

Other update topics to consider

Beyond that, there are a few more topics which I have covered in my previous blog posts on the updates. What I said in them applies generally to this one as well--especially if you may have jumped to this update from previous ones to this latest one, so I'll just point you to the bottom of my post from the Oct 2024 update where I discuss them more:

• What to consider, with regard to some previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
• and more

The discussion of these points starts at this point in that Oct 2024 post.

I may eventually break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates). If I do, I will update this section to point to that.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected]. Finally, to reach out to the wider CF community, note that I offer links to several of the online CF communities here.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed