An update for ColdFusion has been released today, May 13, 2025, for both cf2025 (update 2), cf2023 (update 14) and cf2021 (update 20). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update.

The update also incorporates potentially breaking changes (with Adobe trading compatibility for security), while it also includes configurable options to undo those changes (if you prefer to trade away security for compatibility). Finally, the update corrects some issues introduced in the previous updates, released in April.

In this post, I share the details about the update (from Adobe and from others). I can report I have installed both updates on multiple machines and operating systems without incident. As for challenges or lessons learned, I may do a follow-up post as I/we all learn more.

For more details, read on.

Following are the topics discussed in this post:

• Finding (and finding more about) the update
• What are the security issues addressed in the update?
• What's changed in the update?
• Improvements labeled as "bugs fixed"
• "Known issues" that remain after the update, with workarounds
• A few other topics generic to recent CF updates, which you may want to consider
• On getting help with the update(s)

First, I do want to apologize to my regular readers for my not getting any post out about the April update. When it came out, I quickly saw people experiencing trouble--and I was torn about posting an announcement right away. Also, in my posts I don't just share the news but I first attempt the updates--on multiple machines and OS's, as well as exploring the changes (often finding more than what is documented, as I'll share below).

In the case of the previous update, as I waited for more info to come out about the troubles people were having (whether from Adobe or the community), well, time passed...and soon I felt like doing a post long after the update might not be so helpful after all. Then up popped this update today, which attends to some of the very problems introduced with that April update. So I stuck it out to get this one out today (ok, at 3am on the 14th--but it's still May 13 somewhere!)

Finding (and finding more about) the update

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically:

• NOW LIVE! ColdFusion 2025, 2023, and 2021 May security updates

And that points to the (very important) technote for each version's update:

• ColdFusion (2025 release) Update 2
• ColdFusion (2023 release) Update 14
• ColdFusion (2021 release) Update 20

Finally note also that Adobe has posted a blog entry in the CF portal about the update (with essentially the same info): NOW LIVE! ColdFusion 2025, 2023, and 2021 May security updates. (There tends to be more discussion in the forum announcement than the blog post, though not always.)

What are the security issues addressed in the update?

If you read the APSB for this update, it indicates first again that it's a Priority 1 "Critical" update, and it identifies several different issues/vulnerabilities that are addressed with CVSS scores ranging from 6.8 to 9.1 out of 10--affecting equally all 3 CF versions that are being updated.

You can read the bulletin for the boilerplate identification of the issues, and their Mitre CWE definitions, as well as the acknowledgements of those who identified and reported the vulns. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are", and that therefore "you should apply the update" in order to get the protection it offers.

What's perhaps more unfortunate is that a) there are several different issues and b) there are changes put into effect related to some of them--as well as bugs fixed, etc., but you don't get to pick and choose "parts of these updates": you apply the update and get ALL the "fixes", including whatever changes are coming along for the ride, as discussed in the next section.

(BTW, as for the APSB's final section, "ColdFusion JDK Requirement" offering jvm args to be applied, please see my discussion below for how that does NOT apply to most folks: only to those wo deploy CF via WAR or WAR files on JEE app servers.)

What's changed in the update?

If you read the resources I point to above (the forum thread, the blog post, and especially the technote for the update to each CF version), they discuss what's changed, at least in brief. The update technotes, in particular, offer more detail than the others. I'd like to present here the key points (as addressed differently across those various resources), with perhaps a little more context and indeed in a different order than Adobe lists them:

• Note that if you have any CFCs which have remote methods (cf function definitions that indicate access="remote"), such "remote" CFC methods will no longer will accept calls made remotely (from outside of CF) which name either too many or incorrectly named arguments. Doing so will generate an error, like ,"Function test does not support [incorrect argname] as an argument in [path to cfc]". If you want to allow such behavior, use this new JVM flag:
  -Dcoldfusion.runtime.remotemethod.matchArguments=false
• There's been a change regarding the recently added "serialfilter.txt" file, in that if you already have such a serialfilter.txt file defined before the update, it is replaced DURING the update. As the technote indicates, "if you already have custom entries added to the file, copy the custom entries from the backup file (cfusion/hf-updates/{version}/backup/lib)", which is referring to the backup folder created for the update you just applied
• Though this is not mentioned clearly in the update technote, note that if you use the CF admin feature to create a ColdFusion Archive (car) file, note that as of this update when you try to "build" such a car file, the admin no longer lets you choose WHERE to put the car file. Instead, it presumes only to write it to the CF instance's "packages" folder, as in C:\ColdFusion2025\cfusion\packages. Unlike prior to this update, the UI for naming the CAR file during the build step no longer shows the "browse" button to let you identify a folder location. (Curiously, we do still have to enter the .car extension as well, which seems a missed opportunity to ease that hassle.) FWIW, this change is only indicated in the list of "known issues" in the update technote, where it notes merely that if you DO try to build an archive and don't HAVE a "packages" folder within your CF instance, then it would fail--you must create that folder manually
• The update technote indicates that we should obtain the latest MySQL connector update. See the technote and a link it offers to another CF doc page on the process. Note that as of the initial release of the update technotes, they curiously refer to the "latest" mysql driver version as being 8.0.15--which is from 2019. I have raised this concern to Adobe and it may be corrected by the time you see this. (The "latest" version indicated in the doc page is indeed the current latest, 9.3.0.
• Note that the table at the bottom of each technote indicates that there were 9 CF "packages" that were updated as of this update.
• The update indicates that there are "refreshed" installers for the CF Add-on service, for those who may use those. Note they are needed only for those who choose to install the CF Add-on service separately from the CF install itself. To be clear, the CF installer defaults to offering to install the CF add-on service, which it implements within the CF folders: folks who implement CF and the add-on service this way don't need that separate/refreshed installer
• Finally, if you use the (deprecated) CF Admin "system probes" feature, note that there are important changes regarding a) whether they can be configured to run a program if the probe fails and b) WHERE you are allowed to configure them to publish their output to a file. For more on each, see the update technote discussion of the -Dcoldfusion.systemprobe.allowexecution jvm arg and the "Pathfilter changes" section, respectively.
  • For the sake of posterity and to help folks searching the web, if your probe writes to a disalllowed location the error shown (and logged) will indicate that, "To allow it, whitelist the path in cf-root/lib/pathfilter.json against key schedulerexecutionpaths." Note finally that you also must escape a windows path if specified in that file, otherwise you will find an error in the CF startup logs indicating, "Error reading path filter JSON file: Unrecognized character escape", so for instance use c:/somefolder/somefile.txt instead of c:\somefolder\somefile.txt

For more on those two new JVM args discussed in the points above, see the available new documentation of all JVM flags (as added in each update), available for CF2025 and for CF2023/CF2021.

Improvements labeled as "bugs fixed"

The following bullet points are offered in the update technotes as bugs that have been fixed, for all 3 engine versions:

• Executing the command docker run --rm -it -v ./mywebroot:/app -e acceptEULA=YES adobecoldfusion/coldfusion:latest cli t.cfm on a Docker image causes a Null pointer exception.
• When ColdFusion is installed and multiple instances are created, applying the hotfix by selecting all instances at once completes successfully. However, the hotfix does not deploy certain required files, specifically, the jetty-ipaccess.xml file, into the cfusion/jetty/etc directory as expected. This file was introduced in updates 19 (CF 2021), 13 (CF 2023), and 1 (CF 2025), but was missing in this case.
• An error occurs when registering or unregistering the PDF Service Manager after installing the previous updates. After applying the update and restarting both the ColdFusion and Add-on services, editing the PDFg service in the Administrator causes the PDF engine 1 to behave unexpectedly.
• After installing the previous update, the FTP and cfzip packages did not work, even though they were listed in cfpm.

Then on each of the different technotes for each version, there are a couple more that I have pulled out below.

Additional bugs fixed in CF2025:

• After applying the previous update and installing the add-ons, you are unable to publish a document to pdf.
• In ColdFusion AWS AMI deployments, error messages related to isAutoRestartInstances and undefined STATUS elements are observed in the NGLLICENSEINFO context. When accessing the Activation page, ColdFusion throws an error indicating that the isAutoRestartInstances method could not be found or resolved.
• After installing the previous update, the FTP and cfzip packages did not work, even though they were listed in cfpm.

Additional bugs fixed in CF2023:

• When adding or deleting a node after CCS is stopped, ColdFusion throws an exception.
• After installing the previous update, the FTP and cfzip packages did not work, even though they were listed in cfpm.

Additional bugs fixed in CF2021:

• When Update 14 is applied to a cluster configuration, the ext folder located at ColdFusion2021\cfusion\jetty\lib is removed and moved to the backup directory. As a result, search collections become inaccessible, and an error message appears.
• As part of the PDF-related fixes, specific files under /webapps/WEB-INF/classes were supposed to be updated by the hotfix. However, these files were not replaced as expected, which leads to the PDF service being removed when edited via ColdFusion Administrator.

"Known issues" that remain after the update, with workarounds

Then similarly, the update technotes for each version list the following as known issues that remain even after the update (the first one relates to the point I'd made above about the change regarding creating a CAR archive):

• The CAR build fails if the packages folder is not present. As a workaround, create a folder called packages in /cfusion/, if the folder is not already created.
• On non-Windows systems, editing the local PDF service via Administrator > PDF Service results in the service being removed. The IP address 127.0.0.1 is not included in the allowed list within the jetty/etc/jetty-ipaccess.xml file. As a result, the system blocks the local PDF service connection, leading to its deletion when edited. As a workaround, manually whitelist 127.0.0.1 in the jetty-ipaccess.xml file. This will allow the PDF service to function correctly when edited from the ColdFusion Administrator.

Then for CF2021, uniquely, its update technote mentions one other known issue:

• Uninstalling ColdFusion 2021 Update 19 may remove the xalan.jar file from C:\ColdFusion2021\cfusion\lib, even though it was not added during the installation of Update 19. As a workaround, manually copy the xalan.jar file from a server running Update 18 to the affected server's C:\ColdFusion2021\cfusion\lib directory.

Finally, I will note that while it's not mentioned in any of these 3 update technotes, there has been in the technotes for previous recent CF updates an indication that one should stop CF after the update and delete the cfusion/bin/felix-cache folder, then restart CF (and repeat that for any instances other than cfusion that you may have). Certainly if you are moving to this latest update from other than the immediately preceding update, it would seem wise to perform this step (there's no reason NOT to).

A few other topics generic to recent CF updates, which you may want to consider

Before wrapping up, and separate from the details in the previous section, there are a few other matters that may interest you, which I have covered in my previous blog posts on the updates. What I said in them applies to this one as well--especially if you may have jumped to this update from ones previous to the last one, so I'll just point you to these last few topics in my post about the previous update in October:

• What to consider, with regard to the 4 previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
• You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag

My discussion of those points starts at this point in that post from Oct.

I may soon break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates just before and just after this one). If I do, I will update this section to point to that.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed