Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
An update for ColdFusion has been released today, May 13, 2025, for both cf2025 (update 2), cf2023 (update 14) and cf2021 (update 20). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update.
The update also incorporates potentially breaking changes (with Adobe trading compatibility for security), while it also includes configurable options to undo those changes (if you prefer to trade away security for compatibility). Finally, the update corrects some issues introduced in the previous updates, released in April.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed both updates on multiple machines and operating systems without incident. As for challenges or lessons learned, I may do a follow-up post as I/we all learn more.
For more details, read on.
If you have a remote function that you call with cfajaxproxy and you have a cfparam tag with a URL variable in Application.cfm it will try and pass the variable as an argument to the function and error out.
Application.cfm
**************************
<cfparam name="URL.WindowType" default="Screen">
test.cfm
**************************
<cfajaxproxy cfc="proxy" jsclassname="testproxy">
<!--- the following should be a "script" tag, but the blog's XSS protection converts it to "invalidtag"--->
<InvalidTag>
var ColdFusionProxy = new testproxy();
var TestDate = ColdFusionProxy.getDate();
document.write(TestDate);
</script>
proxy.cfc
**************************
<cfcomponent displayname="proxy" output="false">
<cffunction name="getDate" access="remote" returntype="date" output="false"
hint="Returns the current date and time">
<cfreturn Now()>
</cffunction>
</cfcomponent>
The error I get is:
"Function getDate does not support WINDOWTYPE as an argument in in C:\inetpub\wwwroot\proxy.cfc"
Removing the cfparam tag works around the issue.