[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Jan 13 2026 - p1 security update

Posted At : January 14, 2026 12:21 AM | Posted By : Charlie Arehart
Related Categories: updates, security, cf2025, cf2023
Comments: (0)
An update for ColdFusion has been released, Jan 13 2026, for each of cf2025 (as its update 6) and cf2023 (as its update 18). (This is the first update since CF2021 has reached  its end of life as I blogged previously, so this is the first cf update NOT available for cf2021, which is something folks running that should beware.)

In brief, this update (for both versions) addresses a P1 (Priority 1, "Critical") security vulnerability, related to the Apache Tika java framework which Adobe embeds for certain processing with CF.

Before proceeding, it's of some concern to note that unlike recent CF security updates, Adobe does NOT report (in the APSB, linked to below) that they are, "not aware of any exploits in the wild for any of the issues addressed in these updates." That omission would seem to imply that they ARE aware of this vuln being exploited, which raises the urgency of getting it applied. (It also raises the concern all the more for those on CF2021 or earlier, for whom Adobe will no longer offers ANY updates, including security updates.)

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update.

For more, read on.

I'll note first that having installed the update for each of the releases on multiple machines, I can report that it went well.

Following are the topics discussed in this post:

I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing om multiple machines, I also take time to consider feedback shared in the community, or things I learn as I offered help to them and my own clients.

Finding the update (and finding more about it)

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically:

For this update, I do NOT find that they announced it on their CF portal/blog.

(There tends to be more "discussion" from community members in the forum announcement than the blog post, though not always.)

And those announcements point to the very important technote available for each version:

Things to beware BEFORE doing the update

Before discussing the update further, and since some may see that info above and try to proceed (before reading what I share below), I want to share some more information that you should consider BEFORE doing the update.

Beware that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten

This first matter applies to both CF versions. It started happening with the update in July, and it's still happening. Technically, it applies only to people who a) had applied the May or July CF update and then b) had modified the new pathfilter.json file introduced in that May update (see my post on that May update for more):

If you have added custom entries to the pathfilter.json file (in cfusion/lib or [instancename]/lib), used for whitelisting folders used for scheduled task output or using precompiled code, note that this file is REMOVED and replaced by an empty default version in the update. You must either:
  • Back up the pathfilter.json file before applying the update, to restore it afterward
  • Or restore it from the backup folder created by the update itself, after you apply the update.
The backup copy of the file can be found along with many (not all) other CF files that are backed up during updates, in the "hf-updates" subfolder created for the update you applied, where you'll find it in \backup\lib\pathfilter.json

One more thing to beware: the Dec 2025 update added a NEW section to that file (related to CAR file processing), so you can't simply restore your file from BEFORE this update over top of that. You should fold any changes you previously made into that new version of the file created with that update.

The update technote doesn't warn of either of the issues above, but previous updates did and the concern still seems to apply. (If I learn otherwise, I will update this.)

What are the security issues addressed in the update?

The update's technote clarifies that the update "addresses CVE-2025-66516, a critical XXE in Apache Tika libraries. Adobe strongly recommends that you apply this update as soon as possible."

If you read the Adobe Product Security Bulletin or APSB for this update, it indicates that it's a Priority 1 "Critical" update, and the CVE bulletin indicates it having a CVSS score of 9.8 out of 10.

You can read the bulletin for the boilerplate identification of the issues, and the CVE document. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.

(BTW, as for the APSB's final section, "ColdFusion JDK Requirement" offering jvm args to be applied, that does NOT apply to most folks. Instead it's only for those who deploy CF via WAR or WAR files on JEE app servers.)

What's changed in the update?

This update, unlike others, has no other changes except those related to addressing this Tika vulnerability. 

That said note that with respect to CF2025, its technote indicates an extra step to take if you use the ColdFusion PMT (Performance Monitoring Toolset). The steps referred to there don't apply to CF2023's implementation of the PMT.

Conversely, the CF2023 technote indicates a concern about preserving any changes you may have made previously to the tika-config.xml file. It seems those concerns don't apply to CF2025. (I have asked Adobe about these two things and a bit more, in a comment I placed today on the Adobe forum entry linked to above. If I learn something new, I'll update this post.)

Packages updated in this update

Finally, as is the case with many (but not ALL CF updates), this update does include updates to several of its packages: 5 of them for both versions, and one other (msgraph) for CF2025 (which does not exist in CF2023) Note that there is also a table at the bottom of each technote indicating what packages were updated.

Improvements labeled as "bugs fixed" in this update

This update has no indication of any bugs fixed, at the time of this writing.

"Known issues" that remain after the update, with workarounds

This update has no indication of any known issues, at the time of this writing

Changes, as a result of any CF updates you may be skipping

Of course, when we say that "these are the things changed per this update", it's important to note that this is referring specifically to THIS update--and it's presuming you are coming from the immediately preceding update.

If instead you are skipping that one or any before it, note that you MUST take into consideration whatever is indicated as having changed in that/those prior updates you're skipping.

The technote and Adobe resource pages about the update do offer a link to a page listing ALL updates for each CF version, to facilitate that effort.

Most important, perhaps, note that some CF updates introduce breaking changes (where Adobe is sacrificing compatibility for the sake of security). In those cases, they may identify (in the technotes) some new jvm arg which, if added to CF's startup args (like in the jvm.config file or the CF Admin "java & jvm" page), may revert that change of behavior (sacrificing that one security improvement for the sake of compatibility).

Again, see the update technotes for this update and any you may be skipping, to see if it may offer such a new JVM arg. And FWIW, I try to do a blog post on each of the CF updates, so you can look also at those for more info. Here's the link to my category of posts on most of the previous updates, where I tend to cover these important breaking changes and any jvm args.

Finally, note that Adobe has recently started to track in a separate page what those new jvm args are. There's one list for CF2025 and another for CF2023 and 2021. Sometimes these pages may say a bit more than the update technotes do, but rarely. See both.

How can you assess if the update went well?

When you apply a CF update, it's easy to think, "well, if CF came back up, I'm good". That's not true. There MAY have been an error during the update--or during the applying of package updates (which happen during the first startup of CF after the update).

1) Check the update log, both for success applying the update

When the update is finished (and CF is restarted), the update mechanism (a java process that CF launches to do the update) will write a log file to the cfusion/hf-updates folder, in the subfolder named for the update you just did (such as--for CF2025 update 4:  \ColdFusion2025\cfusion\hf-updates\hf-2025-00004-331512, which of course will vary for each update) And the log file will have a name like Adobe_ColdFusion_2025_Update_4_Install_09_09_2025_18_57_33.log, which again will vary for each update--but note that it includes the time of the update.

In that file, look at about line 70 which will show a table of "successes" and "fatalerrors" and "nonfatalerrors". You want to see 0 of the latter two. There is also a count of "warnings", but 1 or even a couple may be insignificant.

If there were errors, there can be any of many explanations. I covered some of the more common ones first in a blog post several years ago How to solve common problems with applying ColdFusion updates. See also a 2025 presentation I did, Solving Common Problems with CF Updates (PDF and recording offered there).

But before closing the log file, see the next section.

2) Check that same update log, for success in it downloading any package updates

New since CF2021, CF is now modular (based on OSGI) such that most CF features are organized info "packages" (or "modules") that you can choose to implement or not. And most CF updates (but not all) include some packages update/s.

As such, we also need to make sure such package updates go well when applying a CF update. And the first place to watch for is in that same update log from the previous section. See the bottom of the log, where it may report one or many packages (And related "jar" files) being downloaded (or it may report, "All the packages are already updated as per the current core update level.")

A key point to note is that it's NOT the CF update (tracked in this log) which PERFORMS the package update. Instead, it ONLY attempts to DOWNLOAD whatever packages will need to be updated. It's then on the next CF STARTUP (which happens automatically after a CF update) that any packages are updated.

To wit, the last (and equally important) thing to check is...

3) Check the coldfusion-out.log for success during UPDATING of any packages

The coldfusion-out.log tracks most of what happens during startup of CF (there is also information in the coldfusion-error.log: and of course if you run CF from the command line rather than as a service, the info normally sent to these files is sent to your console instead.)  But regarding updates, it tracks if any packages you have installed are updated (which happens during that startup).

So after performing a CF update, and assuming the update log indicated that there were package updates downloaded, you would look to the BOTTOM of the coldfusion-out.log (assuming CF just restarted), to observe the lines that discuss CF first "uninstalling" any packages (and related jars) that were updated. Then it will show that any implemented packages are "started" (it never shows it "installing" or "updating" the packages, per se). We want to watch for any errors that occur (well, pay attention especially to any which may not be happening on every CF startup.)

It could be several dozen or more lines which are written during CF startup, depending on a) the number of packages you've installed and b) how many needed to be updated. If you have trouble interpreting problems you see, see the final section here where I can help, remotely, and often nearly immediately.

A few other topics generic to recent CF updates, which you may want to consider

Before wrapping up, there are a few other matters that may interest you generally apply to ALL the updates.

You should strongly consider the suggestion to "delete the felix-cache"

The first is that while it's not mentioned in every update technote, there has been in the technotes for previous recent CF updates an indication that one should stop CF after the update and delete the cfusion/bin/felix-cache folder, then restart CF. There's no reason NOT to do this, and it HAS been known to fix issues that lingered after an update. (And repeat that step for any instances other than "cfusion" which you may have, if running CF Enterprise or the Developer or Trial edition.)

Other update topics to consider

Beyond that, there are a few more topics which I have covered in my previous blog posts on the updates. What I said in them applies generally to this one as well--especially if you may have jumped to this update from previous ones to this latest one, so I'll just point you to the bottom of my post from the Oct 2024 update where I discuss them more:

  • What to consider, with regard to some previous CF updates (possible breaking changes)
  • As with all CF updates, possible need to upgrade web server connector
  • Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
  • and more

The discussion of these points starts at this point in that Oct 2024 post.

I may eventually break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates). If I do, I will update this section to point to that.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected]. Finally, to reach out to the wider CF community, note that I offer links to several of the online CF communities here.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments (0)
Comments

There are no comments for this entry.

[Add Comment]
Copyright ©2026 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting