Pete FreitagFixinator 6.1.0 - Detecting Undefined Remote Arguments
By Pete Freitag
Today, I released Fixinator version 6.1.0 which includes several enhancements to the CFML code security scanning to provide more accurate results. This release also updates the Adobe ColdFusion compatibility scanner to account for the breaking change in the latest ColdFusion security update (ColdFusion 2025 Update 2, ColdFusion 2023 Update 14, ColdFusion 2021 Update 20).
Adobe Compatibility: Undefined arguments in remote functions
Fixinator now detects the use of use of undefined arguments in a remote function. Here's an example of a function that will trigger this error:
component {
remote string function example(x=0) {
if (structKeyExists(arguments, "y")) {
return arguments.y;
}
return arguments.x;
}
}
On the latest versions of ColdFusion 2021, 2023 and 2025 you will get an error if you pass the argument y (or any argument name besides x) to the remote function. The error you might get looks like this:
coldfusion.runtime.UDFMethod$IllegalArgumentException: Function example does not support y as an argument in c:\inetpub\wwwroot\example.cfc at coldfusion.runtime.UDFMethod.validateArguments
It is worth pointing out that this error will occur on the remote function even if it is not accessed as a remote function. So you can fix this issue by making the function public instead of remote if you are not calling it as a web service or as /example.cfc?method=example&y=1.
So if you want to scan your source code for this type of issue, you can run a ColdFusion 2025 compatibility scan like this:
fixinator path=c:\mycode\ goals=compatibility engines=adobe@2025
Fixinator will tag the above function with a message like this:
As of ColdFusion 2025 update 2, 2023 update 14, and 2021 update 20 you can no longer use undefined arguments in a remote function. This can be overridden by system properties, but is not recommended for security purposes.
The system property that controls this feature is named coldfusion.runtime.remotemethod.matchArguments, and it defaults to true. You can disable the feature by setting the java system property:
-Dcoldfusion.runtime.remotemethod.matchArguments=false
The above would be added in your jvm.config or in the ColdFusion administrator (requires restarting ColdFusion).
I've updated my list of ColdFusion 2025 breaking changes to include this issue as well.
Other improvements
A few other minor improvements include support for --json which returns your fixinator results as json, and --forceLocal which is used for the enterprise version to ensure that the scan is conducted locally.
Go and grab a trial of Fixinator, and scan your ColdFusion code!
Fixinator 6.1.0 - Detecting Undefined Remote Arguments was first published on May 29, 2025.
If you like reading about fixinator, coldfusion, compatibility, or security then you might also like:
- ColdFusion 2025 Breaking Changes Explained
- Fixinator's New Compatibility Scanner
- Fixinator fixes unscoped variables
- Ways to suppress a finding in Fixinator
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
Can you clarify if you're also able to detect the less obvious aspect of this update, where the mere existence of any url or form vars (defined anywhere in the flow of execution of the call to such a remote method) will ALSO cause those vars to be passed in by cf, implicitly--which thus fails now if they are not defined as args?
I suspect this is harder for you to detect, as it's more a runtime impact that's hard to find via static analysis. But people who hit it will wonder.