ColdFusion (2025 release) Update 2
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
What's new and changed
ColdFusion (2025 release) Update 2 (release date: May 13, 2025) resolves critical and important vulnerabilities that could lead to arbitrary file system reads, arbitrary code execution, privilege escalation, and security feature bypass. It also addresses the PDFg service-related issues from the previous ColdFusion updates.
View the security bulletin, APSB25-52, for more information.
With this update, the serialfilter.txt file present in cfusion/lib will be replaced. So if you already have custom entries added to the file, copy the custom entries from the backup file (cfusion/hf-updates/{version}/backup/lib).
Remote method changes
If a remote method expects certain parameters, those arguments must be explicitly declared using the cfargument tag or defined directly in the function signature. For example, if a remote function is defined to accept two arguments, it must only receive those two. Passing more than the declared number (for example, 10) will result in an error. This change ensures stricter method integrity and a better debugging experience. This behavior change applies only to remote CFC methods.
New JVM flagS in this update
- -Dcoldfusion.runtime.remotemethod.matchArguments
- -Dcoldfusion.systemprobe.allowexecution
View JVM arguments in ColdFusion (2025 release) for more information on the flags.
New Admin API
The function canSystemProbeExecuteFile is introduced as part of the scheduler component (CFIDE.adminapi.scheduler). This function checks if ColdFusion allows executing system probes.
<cfscript>
obj = createObject("component","cfide.adminapi.scheduler")
writeOutput(#obj.canSystemProbeExecuteFile#)
</cfscript>
The path provided for executing the program will be validated for alphanumeric, slashes, hyphen, underscore, colon, space and .
Pathfilter changes
The previous update introduced pathfilter.txt inside cfusion/lib folder for bytecode execution prevention. In this update, instead of pathfilter.txt, ColdFusion will introduce pathfilter.json. Note that pathfilter.txt will still be available, although ColdFusion will use the json file, not the txt file. The keys in the file represent features like scheduler, bytecode, and so on.
{
"comments": "paths should be semi-colon separated.
To allow a file: {path-of-file};
To Allow a directory & files in it: {path-to-directory}/*;
To Allow a directory & sub-directories: {path-to-directory}/**;
To Block a file: !{path-of-file};
To Block a directory & sub-directories: !{path-to-directory}/**;
Precedence decreases from left to right. Suppose directory A has directory B & C inside it.
To Allow B & Block C: !A/C/*;A/**;",
"bytecodeexecutionpaths": "",
"schedulerexecutionpaths": ""
}
If scheduled tasks have the Publish > Save output to a file option enabled in ColdFusion Administrator with a specified file path, the task will no longer function unless that path is explicitly allowed in the schedulerexecutionpaths section of pathfilter.json file located in <cf_home>/lib.
After you've made the changes, restart ColdFusion.
Refreshed add-on installers
We've refreshed the add-on installers for this update of ColdFusion 2025. Download the add-on installers from Download Coldfusion.
Update to the latest MySQL connector
For security reasons, we highly recommend using the latest MySQL Java connector (version 8.0.15 or later). Earlier versions contain known security vulnerabilities that could put your environment at risk.
For more information on installing the connector, see Configuring the MySQL JDBC driver (MySQL Connector).
Bugs fixed in the update
- After applying the previous update and installing the add-ons, you are unable to publish a document to pdf.
- Executing the command docker run --rm -it -v ./mywebroot:/app -e acceptEULA=YES adobecoldfusion/coldfusion:latest cli t.cfm on a Docker image causes a Null pointer exception.
- When ColdFusion is installed and multiple instances are created, applying the hotfix by selecting all instances at once completes successfully. However, the hotfix does not deploy certain required files, specifically, the jetty-ipaccess.xml file, into the cfusion/jetty/etc directory as expected. This file was introduced in updates 19 (CF 2021), 13 (CF 2023), and 1 (CF 2025), but was missing in this case.
- An error occurs when registering or unregistering the PDF Service Manager after installing the previous updates. After applying the update and restarting both the ColdFusion and Add-on services, editing the PDFg service in the Administrator causes the PDF engine 1 to behave unexpectedly.
- After installing the previous update, the FTP and cfzip packages did not work, even though they were listed in cfpm.
- In ColdFusion AWS AMI deployments, error messages related to isAutoRestartInstances and undefined STATUS elements are observed in the NGLLICENSEINFO context. When accessing the Activation page, ColdFusion throws an error indicating that the isAutoRestartInstances method could not be found or resolved.
Known issues in the update
- The CAR build fails if the packages folder is not present. As a workaround, create a folder called packages in <cfhome>/cfusion/, if the folder is not already created.
- On non-Windows systems, editing the local PDF service via Administrator > PDF Service results in the service being removed. The IP address 127.0.0.1 is not included in the allowed list within the jetty/etc/jetty-ipaccess.xml file. As a result, the system blocks the local PDF service connection, leading to its deletion when edited. As a workaround, manually whitelist 127.0.0.1 in the jetty-ipaccess.xml file. This will allow the PDF service to function correctly when edited from the ColdFusion Administrator.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
ColdFusion JDK flag requirements
COLDFUSION 2025 (version 2025.0.0.331385)
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerRepositoryUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerRepositoryUnzippedPath>\bundles\updateinstallers\hotfix-002-331451.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerRepositoryUnzippedPath>/bundles/updateinstallers/hotfix-002-331451.jar
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
Post installation
After applying this update, the ColdFusion build number should be 2025,0,02,331451
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2025-00002-331451/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2025-00002-331451}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
| 2025 Update | Connector recreation required |
|---|---|
| Update 2 | No |
| Update 1 | No |
Package updates
| 2025 Update | Packages updated |
|---|---|
| Update 2 | The following packages are updated:
|
| Update 1 | The following packages are updated:
|
