As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (there are more than one), and some info that I share below based on my experience helping people apply this and past updates.

In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.

Following are the topics discussed in this post:

• Finding the update (and finding more about it)
• Things to beware BEFORE doing the update
• What are the security issues addressed in the update?
• Packages updated in this update
• Changes, as a result of any CF updates you may be skipping?
• How can you assess if the update went well?
• A few other topics generic to recent CF updates, which you may want to consider
• On getting help with the update(s)

First, I know some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing om multiple machines, I also take time to consider feedback shared in the community, or things I learn as I offered help to them and my own clients.

Finding the update (and finding more about it)

• The Adobe CF forums announcement of the update
• The Adobe CF portal announcement of the update

(There tends to be more discussion in the forum announcement than the blog post, though not always.)

And those point to the very important technote available for each version:

• ColdFusion (2025 release) Update 4
• ColdFusion (2023 release) Update 16
• ColdFusion (2021 release) Update 22

Things to beware BEFORE doing the update

Before I discuss what's CHANGED in the update, I want to take a moment to highlight some matters that you should beware BEFORE doing the update (whether warned of in the technote or from my own experience helping folks)...though I realize some people may only find or read this blog post AFTER they have already applied the updates. For them, perhaps it can help them deal with problems before they become more noticeable as time passes.

Beware that if you'd modified the pathfilter.json file introduced in the May CF update, sadly that file will be overwritten

This happened first with the update in July, and it's still happening. Technically, it applies only to people who a) had applied the May or July CF update and then b) had modified the new pathfilter.json file introduced in that May update (see my post on that May update for more):

If you have added custom entries to the pathfilter.json file for scheduled task output file white-listing, that file is removed and not replaced by this update. You must either:

• Back up the pathfilter.json file before applying the update, or
• Restore it from the backup taken by the update, after you apply the update.

The backup copy of the file can be found along with many (not all) other CF files that are backed up during updates, in the "hf-updates" subfolder created for the update you applied, where you'll find it in \backup\lib\pathfilter.json

Note that as of the July 2025 CF update, at least CF no longer DELETES scheduled tasks if they exist (and publish output but do NOT match the whitelist). That happened with the May CF update. Again, see my blog post from then for more on this whole matter.

And note that I have a section later on things to consider AFTER applying the update. Now, on to more about THIS update.

What are the security issues addressed in the update?

In simple terms, the update's security fix "addresses an important security fix related to critical path traversal", to quote the technotes.

If you read the APSB for this update, it indicates first again that it's a Priority 1 "Critical" update, addressing this one one CVV, with a CVSS score of 9.0 out of 10--affecting equally all 3 CF versions that are being updated.

But that is also where I got the quote I offered at the open, that "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

You can read the bulletin for the boilerplate identification of the issues, and their Mitre CWE definitions, as well as the acknowledgements of who identifies/reports such vulns. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.

(BTW, as for the APSB's final section, "ColdFusion JDK Requirement" offering jvm args to be applied, that does NOT apply to most folks. Instead it's only for those who deploy CF via WAR or WAR files on JEE app servers. For more, see my discussion below.)

Packages updated in this update

Finally, as is the case with many (but not ALL CF updates), as I noted previously this update does say it includes an updates to just the "feed" package (for use with cffeed).

Note that there is a table at the bottom of each technote which indicates what packages were updated.

This update has no "bug fixes" or currently offers no "known issues"...though again the ones from the previous updates should be heeded, especially if you are skipping any.

Changes, as a result of any CF updates you may be skipping

Of course, when we say that "these are the things changed per this update", it's important to note that this is referring specifically to THIS update--and it's presuming you are coming from the immediately preceding update.

If instead you are skipping that one or any before it, note that you MUST take into consideration whatever is indicated as having changed in that/those prior updates you're skipping.

The technote and Adobe resource pages about the update do offer a link to a page listing ALL updates for each CF version, to facilitate that effort.

Most important, perhaps, note that some CF updates introduce breaking changes (where Adobe is sacrificing compatibility for the sake of security). In those cases, they may identify (in the technotes) some new jvm arg which, if added to CF's startup args (like in the jvm.config file or the CF Admin "java & jvm" page), may revert that change of behavior (sacrificing that one security improvement for the sake of compatibility).

Again, see the update technotes for this update and any you may be skipping, to see if it may offer such a new JVM arg. And FWIW, I try to do a blog post on each of the CF updates, so you can look also at those for more info. Here's the link to my category of posts on most of the previous updates, where I tend to cover these important breaking changes and any jvm args.

Finally, note that Adobe has recently started to track in a separate page what those new jvm args are. There's one list for CF2025 and another for CF2023 and 2021. Sometimes these pages may say a bit more than the update technotes do, but rarely. See both.

How can you assess if the update went well?

When you apply a CF update, it's easy to think, "well, if CF came back up, I'm good". That's not true. There MAY have been an error during the update--or during the applying of package updates (which happen during the first startup of CF after the update).

1) Check the update log, both for success applying the update

When the update is finished (and CF is restarted), the update mechanism (a java process that CF launches to do the update) will write a log file to the cfusion/hf-updates folder, in the subfolder named for the update you just did (such as \ColdFusion2025\cfusion\hf-updates\hf-2025-00004-331512, which of course will vary for each update) And the log file will have a name like Adobe_ColdFusion_2025_Update_4_Install_09_09_2025_18_57_33.log, which again will vary for each update--but note that it includes the time of the update.

In that file, look at about line 70 which will show a table of "successes" and "fatalerrors" and "nonfatalerrors". You want to see 0 of the latter two. There is also a count of "warnings", but 1 or even a couple may be insignificant.

If there were errors, there can be any of many explanations. I covered some of the more common ones first in a blog post several years ago How to solve common problems with applying ColdFusion updates. See also a 2025 presentation I did, Solving Common Problems with CF Updates (PDF and recording offered there).

But before closing the log file, see the next section.

2) Check that same update log, for success in it downloading any package updates

New since CF2021, CF is now modular (based on OSGI) such that most CF features are organized info "packages" (or "modules") that you can choose to implement or not. And most CF updates (but not all) include some packages update/s.

As such, we also need to make sure such package updates go well when applying a CF update. And the first place to watch for is in that same update log from the previous section. See the bottom of the log, where it may report one or many packages (And related "jar" files) being downloaded (or it may report, "All the packages are already updated as per the current core update level.")

A key point to note is that it's NOT the CF update (tracked in this log) which PERFORMS the package update. Instead, it ONLY attempts to DOWNLOAD whatever packages will need to be updated. It's then on the next CF STARTUP (which happens automatically after a CF update) that any packages are updated. To wit...

3) Check the coldfusion-out.log for success during UPDATING of any packages

The coldfusion-out.log tracks most of what happens during startup of CF (there is also information in the coldfusion-error.log: and of course if you run CF from the command line rather than as a service, the info normally sent to these files is sent to your console instead.)

So after performing a CF update, and assuming the update log indicated that there were package updates downloaded, you would look to the BOTTOM of the coldfusion-out.log (assuming CF just restarted), to observe the lines that discuss CF first "uninstalling" any packages (and related jars) that were updated. Then it will show that any implemented packages are "started" (it never shows it "installing" or "updating" the packages, per se). We want to watch for any errors that occur (well, pay attention especially to any which may not be happening on every CF startup.)

It could be several dozen or more lines which are written during CF startup, depending on a) the number of packages you've installed and b) how many needed to be updated. If you have trouble interpreting problems you see, see the final section here where I can help, remotely, and often nearly immediately.

A few other topics generic to recent CF updates, which you may want to consider

Before wrapping up, there are a few other matters that may interest you generally apply to ALL the updates.

You should strongly consider the suggestion to "delete the felix-cache"

The first is that while it's not mentioned in every update technote, there has been in the technotes for previous recent CF updates an indication that one should stop CF after the update and delete the cfusion/bin/felix-cache folder, then restart CF. There's no reason NOT to do this, and it HAS been known to fix issues that lingered after an update. (And repeat that step for any instances other than "cfusion" which you may have, if running CF Enterprise or the Developer or Trial edition.)

Other update topics to consider

Beyond that, there are a few more topics which I have covered in my previous blog posts on the updates. What I said in them applies generally to this one as well--especially if you may have jumped to this update from previous ones to this latest one, so I'll just point you to the bottom of my post from the Oct 2024 update where I discuss them more:

• What to consider, with regard to some previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
• and more

The discussion of these points starts at this point in that Oct 2024 post.

I may eventually break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates). If I do, I will update this section to point to that.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected]. Finally, to reach out to the wider CF community, note that I offer links to several of the online CF communities here.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed