Announcing ColdFusion updates released July 8 2025: p1 security update and more
As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (more than one), and some that I share below based on my experience helping people apply this and past updates. Finally, the update corrects some issues introduced in the previous updates, released in May.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.
Following are the topics discussed in this post:
- Finding the update (and finding more about it)
- Things to beware BEFORE doing the update
- What are the security issues addressed in the update?
- What's changed in the update?
- Improvements labeled as "bugs fixed"
- "Known issues" that remain after the update, with workarounds
- A few other topics generic to recent CF updates, which you may want to consider
- On getting help with the update(s)
First, I know some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out yesterday (the day of the update's release). Like some other CF updates recently, there was a lot to take in--and I needed time to consider some of what was shared by others in the community, as I offered help to them and my own clients. Now I'm able to share that with you.
Finding the update (and finding more about it)
While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums and portal/blog, specifically:(There tends to be more discussion in the forum announcement than the blog post, though not always.)
And those point to the very important technote available for each version:
- ColdFusion (2025 release) Update 3
- ColdFusion (2023 release) Update 15
- ColdFusion (2021 release) Update 21
Things to beware BEFORE doing the update
Before I discuss what's CHANGED in the update, I want to take a moment to highlight some matters that you should beware BEFORE doing the update (whether warned of in the technote or from my own experience helping folks)...though I realize some people may only find or read this blog post AFTER they have already applied the updates. For them, perhaps it can help them deal with problems before they become more noticeable as time passses.
Beware that if you'd modified the pathfilter.json file introduced in the May CF update, sadly that file will be overwritten
First, I want to make sure folks notice that the technote has this warning in a box near the top. Technically, it applies only to people who a) had applied the May CF update and b) had modified the new pathfilter.json file introduced in that update (see my post on that May update for more):
If you have added custom entries to the pathfilter.json file for scheduled task output file allowlisting, you must either:Of course, the path offered in that last line does vary per each technote, with respect to that specific CF version. (And FWIW, actually, the box is NOT there on the CF2025 update 3 technote, but it SHOULD be as I DID find it was overwritten by that update. I have informed Adobe about the need of correction.)The backup copy of the file can be found at: hf-updates\hf-2021-00021-330446\backup\lib\pathfilter.json
- Back up the pathfilter.json file before applying the update, or
- Restore it from the update backup after applying the update.
Backup your neo-cron.xml
Though not mentioned in the technote (currently), before doing the update, you should check if you have any scheduled tasks that "publish" or "save output" to a file. That's an option with scheduled tasks.
If you do (or just to be safe), you should first backup the neo-cron.xml file (found in cfusion/lib or [yourinstancename]\lib) under your CF folder, as it's possible that some existing scheduled tasks will be removed when CF starts up after the update. This is related to the dicussion in the previous section.
As of the May 2025 CF update, you must use that new pathfilter.json to whitelist what folders it should be possible to save such output to. (If you wonder why this is necessary, it's that there have been ways over the years that "bad guys" could cause a scheduled task to be created--and if it saved output, that too could be compromised. So CF can't "just trust" a task configured to save output . This new file is a protection mechanism.)
If a task IS configured to save output, then on startup (after the May or July CF updates), that task will be REMOVED (and a line to that effect is written to the CF logs).
This warning to backup the neo-cron.xml was discussed in the May update technotes, but curiously it's not (currently) in this update's technotes. And it's all the more important given what I shared in the preivous section, that the update WILL overwrite any pathfilter.json you MAY have created after that last CF update. Forewarned is forearmed.
Let's move on from changes to security fixes.
What are the security issues addressed in the update?
In simple terms, the update's security fixes "mitigate vulnerabilities related to arbitrary file reads, code execution, privilege escalation, and security feature bypass", to quote the technotes.If you read the APSB for this update, it indicates first again that it's a Priority 1 "Critical" update, and it identifies several different issues/vulnerabilities that are addressed with CVSS scores ranging from 2.7 to 9.3 out of 10--affecting equally all 3 CF versions that are being updated.
You can read the bulletin for the boilerplate identification of the issues, and their Mitre CWE definitions, as well as the acknowledgements of those who identified and reported the vulns. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.
What's perhaps more unfortunate is that a) there are several different issues and b) there are changes put into effect related to some of them--as well as bugs fixed, etc....but you don't get to pick and choose "parts of these updates". You apply the update and you get ALL these security fixes AND bug fixes, including whatever changes are coming along for the ride, as discussed in the next section.
(BTW, as for the APSB's final section, "ColdFusion JDK Requirement" offering jvm args to be applied, that does NOT apply to most folks. Instead it's only for those wo deploy CF via WAR or WAR files on JEE app servers. For more, see my discussion below.)
What's changed in the update?
If you read the resources I point to above (the forum thread, the blog post, and especially the technote for the update to each CF version), they discuss what's changed, at least in brief. The update technotes do offer more detail than the others, though generally still not a LOT of detail.So I'd like to present here the key points (as addressed differently across those various resources), with perhaps a little more context and indeed in a different order than Adobe lists them. And while some of the matters could be considered "security issues", I pull out here some more important ones to be separate from the more generic discussion in the previous section.
Tomcat upgraded, along with some Apache libraries
The good news is that this CF update does update the Tomcat underlying CF (from Tomcat 10 for CF2025, Tomcat 9 for CF2023 and 2021). Specifically, CF2025's Tomcat went from version 10.1.34 to 10.1.42, while the other two CF versions went from version 9.0.72 to 9.0.106.. These updates also include important bug fixes and performance improvements as well as security enhancementsThe bad news for many is that this "took too long to happen". Let me elaborate, as this is an important issue for many.
They may be aware that CF is typically deployed (by the CF installer or zip install or the CF docker image) atop a slightly modified version of Tomcat, which Adobe implements and provides. And like CF, sometimes Tomcat has security vulns and updates to address them. But sadly we ourselves can't "just update the Tomcat underlying CF". We have to wait for Adobe to do that, in an update like this. Sometimes that can take months--and all the while people running CF may have security folks breathing down their neck, even threatening to "pull the plug on CF".
So let's focus on the good news: the Tomcat underlying CF is updated...for now.
While we're on the topic of upgrades to underlying components, note also that the technotes indicate the library version number changes for a few low-level Apache libraries: POI, XMLBeans, Commons IO, and Commons Express.
New JVM arg, needed if your apps "parse XML with external entities"
The technote makes a rather terse indication that the update includes a new jvm arg:This flag controls whether external entities are allowed when parsing XML. By default, the flag is set to false to disable external entity resolution, preventing potential XML External Entity (XXE) vulnerabilities such as file disclosure or denial-of-service attacks. Setting this flag to false (the default) enhances security and prevents blind XXE attacks that could otherwise be exploited to read sensitive files from the file system. If your applications rely on parsing XML with external entities enabled (not recommended), you must explicitly set the flag to true, but this may introduce security risks.As for that page with more the JVM arg, note that there's is now a page listing ALL of the CF JVM flags (as they are added in each update), which is available separately for CF2025 and for CF2023/CF2021.
An improvement over a problem from the last two updates
In the May update, a breaking change was implemented (for the sake of security), where now any calls into "remote" methods of CFCs would require that ALL incoming args to that method must be defined. That caused some problems, unexpected by many (including Adobe).
In this update, that requirement is "now limited to remote CFC calls only and do not apply to regular (local) method invocations".
A post-update step required, for those on CF2023 or CF2025 who are using the CCS feature
The update technotes for CF2023 and 2025 mention a step that's required by those using the CCS (Central Configuration Server) feature, which was introduced in CF2023. If you don't use that feature, skip to the next section. If you DO use it, here is what the technote says:If your ColdFusion server instance is registered as a client with the Central Configuration Server (CCS), you will need to re-register the instance after applying Update 3 by running the deletenode command followed by addnode. This step is not required for CCS nodes that are child ColdFusion instances.
Changes, as as result of any CF updates you may be skipping
Of course, when we say that "these are the things changed per this update", it's important to note that this is referring specifically to THIS update--and it's presuming you are coming from the immediately preceding update.
If instead you are skipping that one or any before it, note that you MUST take into consideration whatever is indicated as having changed in that/those prior updates you're skipping.
The technote and Adobe resource pages about the update do offer a link to a page listing ALL updates for each CF version, to facilitate that effort. And FWIW, I try to do a blog post on each of the CF updates, so you can look also at those for more info. Here's the link to my category of posts on most of the previous updates.
Package updates
Finally, as is the case with many (but not ALL CF updates), this update does include updates to several packages. Note that there is a table at the bottom of each technote which indicates what packages were updated.
Improvements labeled as "bugs fixed"
While the above section(s) focused on what things were listed in the technote as "changed", we should consider also that we can also regard as "improvements" various bug fixes that were implemented, as well as (in the next section) known issues which remain, even after the update (which will result in what can seem to be "changes" per this update).
In each technote's "bugs fixed" section is a list of bullet points (which are the same for all 3 CF versions), covering several matters that WERE problems but which should now be fixed. Keep that in mind when reading them (as they are worded as if they ARE problems--a common problem with bug fix lists for many products). They include fixes related to autolockdown, use of returnformat or queryformat in remote methods, a typo in a startup message, a problem related to editing PDF Services in the CF Admin (on non-Windows systems), scheduled tasks, encrypted PDFs, and cfdocument.
Again, these are all listed as "fixed". See the technote for a but more on each. And I can note that there are no "bugs fixed" which are unique to the update technote for any particular of the 3 CF versions.
"Known issues" that remain after the update, with workarounds
The update technotes for each version do also list "known issues", which remain even after the update. In this update, there are (currently) none listed that apply to all 3 CF versions. And there's (currently) none listed for CF2023 at all.
As for for CF2025, its update technote lists only one known issue: related to use of HTMLTOPDF, when you run multiple instances of CF. That issue is repeated in the technote for CF2021...but curiously it's not listed in the one for CF2023. I would be surprised if it applies to 2025 and 2021 but NOT 2023, so I have raised that to Adobe, and perhaps it will be added soon to the 2023 technote. Anyway, see the technote for a bit more on the issue.
Finally, as for CF2021, its update technote lists one other issue (unique to it), related to ORM. Again, see the technote for more. And there may well be other changes added to the technotes over time (it has happened), and usually an indication is made to clarify what's been changed. As always, you really should read the technotes before applying updates.
A few other topics generic to recent CF updates, which you may want to consider
Before wrapping up, there are a few other matters that may interest you generally apply to ALL the updates.
The first is that while it's not mentioned in ever update technote, there has been in the technotes for previous recent CF updates an indication that one should stop CF after the update and delete the cfusion/bin/felix-cache folder, then restart CF (and repeat that for any instances other than cfusion that you may have). Certainly if you are moving to this latest update from other than the immediately preceding update, it would seem wise to perform this step (there's no reason NOT to).
Beyond that, there are a few more topics which I have covered in my previous blog posts on the updates. What I said in them applies generally to this one as well--especially if you may have jumped to this update from previous ones to this latest one, so I'll just point you to the bottom of my post from the Oct 2024 update where I discuss them more:
- What to consider, with regard to some previous CF updates (possible breaking changes)
- As with all CF updates, possible need to upgrade web server connector
- Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
- and more
The discussion of these points starts at this point in that Oct 2024 post.
I may eventually break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates). If I do, I will update this section to point to that.
On getting help with the update(s)
Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.
Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected]. Finally, to reach out to the wider CF community, note that I offer links to several of the online CF communities here.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed