Pete FreitagLatest ColdFusion Security Updates - May 2025
By Pete Freitag
This page is updated with the latest ColdFusion Security Updates and Hotfixes published by Adobe.
Latest ColdFusion Security Update
May 2025 - ColdFusion 2025 Update 2, ColdFusion 2023 Update 14, ColdFusion 2021 Update 20
Release Date: May 13, 2025
Adobe Product Security Bulletin APSB25-52 fixes several critical vulnerabilities.
Vulnerabilities Fixed
This priority 1 security hotfix resolved 7 critical vulnerabilities, and 1 important vulnerability.
Links & Resources
- APSB25-15 - Adobe Product Security Bulletin
- CF2025 Update 2 - Adobe KB article for ColdFusion 2025 Update 2
- CF2023 Update 14 - Adobe KB article for ColdFusion 2023 Update 14
- CF2021 Update 20 - Adobe KB article for ColdFusion 2021 Update 20
- Forum Thread - Adobe ColdFusion forum thread discussing CF2023u14 and CF2021u20, and CF2025u2.
Notes / Issues
- Remote methods arguments must now be explicitly defined in the function (eg as cfargument tags). Fixinator 6.1.0 now detects undefined arguments in remote functions
- If you use MySQL Adobe recommends that you use the latest MySQL Connector (or at least version 8.0.15 or later)
- The
pathfilter.txtwill be updated, so if you have modified it, you will need to reapply your changes
Previous ColdFusion Security Updates
April 2025 - ColdFusion 2025 Update 1, ColdFusion 2023 Update 13, ColdFusion 2021 Update 19
Release Date: April 8, 2025
Adobe Product Security Bulletin APSB25-15 fixes several critical vulnerabilities.
Vulnerabilities Fixed
This priority 1 security hotfix resolved 11 critical vulnerabilities, and 4 important vulnerabilities.
Links & Resources
- APSB25-15 - Adobe Product Security Bulletin
- CF2025 Update 1 - Adobe KB article for ColdFusion 2025 Update 1
- CF2023 Update 13 - Adobe KB article for ColdFusion 2023 Update 13
- CF2021 Update 19 - Adobe KB article for ColdFusion 2021 Update 19
- Forum Thread - Adobe ColdFusion forum thread discussing CF2023u13 and CF2021u19, and CF2025u1.
Notes / Issues
No updates to the connectors in this release. The administrator, and ajax packages were updated as part of this release.
One notable change in this update is the addition of IP restrictions for the jetty (ColdFusion Add On Services) server which is used for Solr and cfhtmltopdf. Typically you only access this server over localhost, details for configuring the IPs can be found here.
December 2024 - ColdFusion 2023 Update 12, ColdFusion 2021 Update 18
Release Date: December 23, 2024
Adobe Product Security Bulletin APSB24-107 fixes one critical vulnerability.
Vulnerabilities Fixed
- CVE-2024-53961 - critical (7.4), priority 1 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Arbitrary file system read
Links & Resources
- APSB24-107 - Adobe Product Security Bulletin
- CF2023 Update 12 - Adobe KB article for ColdFusion 2023 Update 12
- CF2021 Update 18 - Adobe KB article for ColdFusion 2021 Update 18
- Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 12 and CF 2021 Update 18.
- Info: Charlie Arehart - lots of great info for updating / mitigating
- Analysis: Brian Reilly - good analysis
Notes / Issues
No updates to the connectors in this release. The pmtagent package was updated as part of this release.
October 2024 - ColdFusion 2023 Update 11, ColdFusion 2021 Update 17
Release Date: October 15, 2024
This update was not a security hotfix update, although it did update some third party libraries with vulnerabilities (such as netty).
Links & Resources
- CF2023 Update 11 - Adobe KB article for ColdFusion 2023 Update 10
- CF2021 Update 17 - Adobe KB article for ColdFusion 2021 Update 16
- Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 11 and CF 2021 Update 17.
September 2024 - ColdFusion 2023 Security Update 10, ColdFusion 2021 Security Update 16
Release Date: September 10, 2024
Adobe Product Security Bulletin APSB24-71 fixes one critical vulnerability.
Vulnerabilities Fixed
- CVE-2024-41874 - critical (9.8) Deserialization of Untrusted Data vulnerability allowing for arbitrary code execution
Links & Resources
- APSB24-71 - Adobe Product Security Bulletin
- CF2023 Update 10 - Adobe KB article for ColdFusion 2023 Update 10
- CF2021 Update 16 - Adobe KB article for ColdFusion 2021 Update 16
- Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 10 and CF 2021 Update 16.
Notes / Issues
No updates to connector or packages in this release. Fixed bug CF-4223435 caused by previous update.
August 2024 - ColdFusion 2023 Update 9, ColdFusion 2021 Update 15
Release Date: August 20, 2024
This ColdFusion update primarily updated the version of Tomcat from 9.0.85 to 9.0.93.
Links & Resources
- CF2023 Update 10 - Adobe KB article for ColdFusion 2023 Update 9
- CF2023 Update 16 - Adobe KB article for ColdFusion 2021 Update 15
- Issue: Packages Removed - Charlie Arehart discusses the issue of removed packages caused by this update.
- Info: Charlie - Charlie Arehart discusses the details of the update.
Notes / Issues
No connector or package updates in this release.
Bug CF-4223435 removed packages previously installed during the update process (see link above). Fixed CF2023 update 10, CF2021 Update 16.
Latest ColdFusion Security Updates - May 2025 was first published on September 10, 2024.
If you like reading about coldfusion, security, updates, or hotfixes then you might also like:
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- You May Need to Reapply CF Security Hotfix CVE-2009-1877
- ColdFusion Server Security Scanner
- Fixinator 6.1.0 - Detecting Undefined Remote Arguments
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.