Announcing ColdFusion updates released July 8 2025: p1 security update and more

Posted At : July 9, 2025 11:45 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2021, cf2025, cf2023
Comments: (17)

An update for ColdFusion has been released, July 8 2025, for each of cf2025 (update 3), cf2023 (update 15) and cf2021 (update 21). In brief, it addresses a number of P1 (Priority 1, "Critical") security vulnerabilities and more, including bug fixes and some modest feature changes.

As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (more than one), and some that I share below based on my experience helping people apply this and past updates. Finally, the update corrects some issues introduced in the previous updates, released in May.

In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.

[....Continue Reading....]

Comments (17)

Comments

[Add Comment]

As always, many thanks for the detailed blogpost Charlie!

# Posted By Jos | 7/10/25 3:49 AM

Has anyone had any issues sending emails after installing the update?

I updated our servers this morning, and everytime I try and send an email now, it results in a 500 Server Error.

# Posted By Steve | 7/10/25 9:51 AM

Hello Steve,

Stop Coldfusion
Delete the Felix cache folder (cfusion/bin/felix-cache)
Restart Coldfusion

This will resolve your issue.

# Posted By Roberto A. | 7/10/25 12:37 PM

Thanks for jumping in, Roberto. And as it's helped you (as discussed in your comment in the Adobe forum announcing the update), we may well expect it to help Steve.

I'll point out to you both (and all readers) that I DID cover this clearing of the felix-cache in my section above, "A few other topics generic to recent CF updates, which you may want to consider", where I explained that while this update
s technote does not SAY to do it, it HAS often been the solution to some problems--which not EVERYONE may necessarily experience.

And that's also why I just say to do it as a matter of good practice: as I concluded, "there's no reason NOT to".

If this specific mail issue does prove to be rather universal, I'll update the post to reflect that. For now, these comments should help (those who don't heed my own recommendation about it).

# Posted By Charlie Arehart | 7/10/25 12:51 PM

Thanks Charlie. Adobe actually listed it as a known issue today.

https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-21.html

# Posted By Roberto A. | 7/10/25 12:59 PM

There may be more to it also. It looks like the CF2025 Update 3 is removing the required jar from ColdFusion2025/cfusion/lib folder. (mail package lists this as required)

bcmail-jdk15on-153.jar (is missing now)

# Posted By Kevin Benore | 7/10/25 3:38 PM

So guys (Roberto and Kevin), thanks for the thoughts.

First, good to see Adobe added that as a known issue...but it's odd that it's listed only on the technote for cf2021...not cf2025 or 2023. I have asked Adobe directly about that.

Finally Kevin, given that, and when you say 2025 is removing the required jar, what is that? FWIW, there IS an indication (in the 2025 update technote alone) that "The jar file `xlsx-streamer-2.1.0.jar` has been removed and replaced with `excel-streaming-reader-5.0.4.jar`." But I don't think that's what you're referring to, since it clearly has nothing to do with mail.

I'm thinking you're referring to something maybe you saw in your logs? What jar was it?

# Posted By Charlie Arehart | 7/10/25 3:46 PM

Ah, sorry. I see now you indicated it at the bottom of your comment as being bcmail-jdk15on-153.jar.

Let me do some exploring (or perhaps others will and will get back to us).

# Posted By Charlie Arehart | 7/10/25 4:01 PM

Let me point out also that I have found an unrelated problem causing comments here to not be emailed to people. (Other emails are getting out.) I'll work on that also.

# Posted By Charlie Arehart | 7/10/25 4:03 PM

This update has been...interesting? Trying to to hot fix 15 on cf2023. After the usual manual install trials and tribulations, all seemed well until trying to use CFMAIL anywhere, it would error with something to do with "bouncycastle"?

Here's the full error - I tried updating bcprov-jdk15on-153.jar to a newer version but that seemed to make things error even more. I ended up just rolling back the update for now.

java.lang.VerifyError:
Bad type on operand stack
Exception Details:
Location:
coldfusion/mail/mod/MailImpl.signMail(Ljavax/mail/internet/MimeMessage;Ljavax/mail/Session;)
Ljavax/mail/internet/MimeMessage; @238: invokevirtual
Reason:
Type 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' (current frame, stack[1]) is not assignable to 'org/bouncycastle/asn1/ASN1Encodable'
Current Frame:
bci: @238
flags: { }
locals: { 'coldfusion/mail/mod/MailImpl', 'javax/mail/internet/MimeMessage', 'javax/mail/Session', 'java/security/KeyStore', '[Ljava/security/cert/Certificate;', 'java/security/PrivateKey', 'org/bouncycastle/asn1/ASN1EncodableVector', 'java/security/cert/X509Certificate', 'java/lang/String', 'org/bouncycastle/asn1/cms/IssuerAndSerialNumber' }
stack: { 'org/bouncycastle/asn1/ASN1EncodableVector', 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' }

# Posted By Tony Mason | 7/13/25 7:10 PM

Tony, the problem is known, is easily solved, and is discussed in both the comments here and now in the update technote for both cf2023 and cf2021. See the "known issues" bullet on cfmail. Technote link offered above.

It now discusses the need (and details how to) delete the felix-cache (something I also warned of originally in the post.) And yes, I will also update my post to note this addition to the "known issues" in the technote)--for the sake of those who don't read the technotes...or all the comments here. :-)

# Posted By Charlie Arehart | 7/13/25 7:22 PM

I'm also going to dramatically pare down the several dozen lines of error details your comment, as only a few lines should be needed to help future readers who may search those key parts. :-)

# Posted By Charlie Arehart | 7/13/25 7:25 PM

Thanks Charlie! I didn't see anything in the known issues for 2023 list, but I should have given that a shot - I saw the references above!

# Posted By Tony Mason | 7/13/25 7:25 PM

Sorry about that, it's always the game of "maybe I should only paste the first part" which inevitably leads to "you didn't paste enough of the error, how are we supposed to help you without good info" vs. "I'll just paste everything!" which gets you "you didn't need to paste the library of congress, dude". :)

# Posted By Tony Mason | 7/13/25 7:29 PM

Understood :-)

And I've already updated the post about the new "known issue".

# Posted By Charlie Arehart | 7/13/25 7:37 PM

Thanks for the detailed review of this (and previous) updates Charlie! Everything went great here!

# Posted By Marlon | 7/15/25 5:25 PM

There appears to be a NEW remote cfc issue than has been introduced in this update. I've create a bug for it, including a very dumbed-down sample app to recreate/demonstrate the issue on this update vs the previous one.

https://tracker.adobe.com/#/view/CF-4227376

The gist:

We're all aware of the expected behavior if you attempt to call a remote cfc method with required parameters without including all of the required parameters in your call. However, it appears that Adobe potentially has moved WHEN THAT VALIDATION OCCURS in the request process. It used to occur after onRequestStart() (verifiable with my aforementioned sample app) which would allow you to do some query_string/url scope manipulation prior to that validation. Now? Not so.

# Posted By Kevin | 7/31/25 12:36 PM

[Add Comment]

Sun	Mon	Tue	Wed	Thu	Fri	Sat
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31