Pete Freitag Pete Freitag

Latest ColdFusion Security Updates - April 2025

Updated on April 09, 2025
By Pete Freitag
coldfusion

This page is updated with the latest ColdFusion Security Updates and Hotfixes published by Adobe.

Latest ColdFusion Security Update


April 2025 - ColdFusion 2025 Update 1, ColdFusion 2023 Update 13, ColdFusion 2021 Update 19

Release Date: April 8, 2025

Adobe Product Security Bulletin APSB25-15 fixes one critical vulnerability.

Vulnerabilities Fixed

This priority 1 security hotfix resolved 11 critical vulnerabilities, and 4 important vulnerabilities.

Links & Resources

Notes / Issues

No updates to the connectors in this release. The administrator, and ajax packages were updated as part of this release.

One notable change in this update is the addition of IP restrictions for the jetty (ColdFusion Add On Services) server which is used for Solr and cfhtmltopdf. Typically you only access this server over localhost, details for configuring the IPs can be found here.


Previous ColdFusion Security Updates

December 2024 - ColdFusion 2023 Update 12, ColdFusion 2021 Update 18

Release Date: December 23, 2024

Adobe Product Security Bulletin APSB24-107 fixes one critical vulnerability.

Vulnerabilities Fixed

  • CVE-2024-53961 - critical (7.4), priority 1 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Arbitrary file system read

Links & Resources

Notes / Issues

No updates to the connectors in this release. The pmtagent package was updated as part of this release.

October 2024 - ColdFusion 2023 Update 11, ColdFusion 2021 Update 17

Release Date: October 15, 2024

This update was not a security hotfix update, although it did update some third party libraries with vulnerabilities (such as netty).

Links & Resources

  • CF2023 Update 11 - Adobe KB article for ColdFusion 2023 Update 10
  • CF2021 Update 17 - Adobe KB article for ColdFusion 2021 Update 16
  • Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 11 and CF 2021 Update 17.

September 2024 - ColdFusion 2023 Security Update 10, ColdFusion 2021 Security Update 16

Release Date: September 10, 2024

Adobe Product Security Bulletin APSB24-71 fixes one critical vulnerability.

Vulnerabilities Fixed

  • CVE-2024-41874 - critical (9.8) Deserialization of Untrusted Data vulnerability allowing for arbitrary code execution

Links & Resources

  • APSB24-71 - Adobe Product Security Bulletin
  • CF2023 Update 10 - Adobe KB article for ColdFusion 2023 Update 10
  • CF2021 Update 16 - Adobe KB article for ColdFusion 2021 Update 16
  • Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 10 and CF 2021 Update 16.

Notes / Issues

No updates to connector or packages in this release. Fixed bug CF-4223435 caused by previous update.


August 2024 - ColdFusion 2023 Update 9, ColdFusion 2021 Update 15

Release Date: August 20, 2024

This ColdFusion update primarily updated the version of Tomcat from 9.0.85 to 9.0.93.

Links & Resources

Notes / Issues

No connector or package updates in this release.

Bug CF-4223435 removed packages previously installed during the update process (see link above). Fixed CF2023 update 10, CF2021 Update 16.



coldfusion security updates hotfixes

Latest ColdFusion Security Updates - April 2025 was first published on September 10, 2024.

If you like reading about coldfusion, security, updates, or hotfixes then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

CFBreak
The weekly newsletter for the CFML Community


Comments

qmxRVs uoeQby EwmOF cvntlJnE kOTB byYYuvj MPBmP
by MyName on 04/19/2025 at 10:14:41 AM UTC

Post a Comment