Download the patches for your ColdFusion version from the following location:
- ColdFusion (2023 release) (MD5: 238e77125baf0e139bc7681a47b8e24bb6605e40)
- ColdFusion (2021 release) (MD5: 91d06c0a185634ac30f2bafceaaba330)
Last updated on
Dec 9, 2025
Java serial filter (serialfilter)
The Java serial filter (serialfilter.txt) is a JVM‑level deserialization control that blocks Java deserialization by disallowing certain Java classes or packages.
This filter helps protect ColdFusion (and the hosting JVM) from insecure Java deserialization by preventing specific classes or packages from being deserialized.
From Update 5 onwards
ColdFusion blocks all class deserialization by default.
From this update, ColdFusion blocks all class deserialization by default. ColdFusion applies a default‑deny deserialization policy using an internal allowlist of classes required by the platform and the cfusion/lib/serialfilter.txt file, which you can edit to whitelist additional safe classes or packages. Classes not on this allowlist are blocked, and an error is logged advising you to add the relevant class or package to serialfilter.txt if you wish to allow it.
When a class is blocked, ColdFusion logs a clear message in both server.log and exception.log, for example:
Error","http-nio-8502-exec-1","11/12/25","11:34:20","", "Due to security reasons, java.util.HashMap is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization."
In case you want to debug further, the stack trace will be in exception.log
If required for backward compatibility or troubleshooting, you can temporarily restore the previous, less restrictive behaviour by setting -Dcoldfusion.deserialization.safeguard.enabled=false. This option is intended only for non-production use and is not recommended for production environments.
Earlier in JEE deployments, the serialfilter.txt file was not functioning, and administrators had to rely on the -Djdk.serialFilter JVM option instead. This limitation has been addressed, and serialfilter.txt is now functional in JEE deployments. If both configurations are present, the -Djdk.serialFilter setting continues to take precedence over serialfilter.txt.
ColdFusion serial filter (cfserialfilter)
The ColdFusion serial filter is configured using the cfserialfilter.txt file and is specifically intended to protect against insecure WDDX deserialization attacks.
The cfserialfilter.txt file ensures protection against insecure Wddx deserialization attacks. As a security precaution, ColdFusion internal classes are blocked from Wddx deserialization, except for a few classes needed for ColdFusion to run normally.
By default, the packages that ColdFusion allows for Wddx deserialization are:
java.util.Locale; java.util.Collections$EmptySet; java.util.HashMap; coldfusion.server.ConfigMap; coldfusion.util.FastHashtable; coldfusion.saml.SpConfiguration; coldfusion.saml.IdpConfiguration; coldfusion.runtime.CaseSensitiveStruct; coldfusion.scheduling.mod.ScheduleTagData; coldfusion.runtime.ArgumentCollection; coldfusion.util.CaseInsensitiveMap; coldfusion.runtime.AttributeCollection; coldfusion.sql.QueryTable; coldfusion.archivedeploy.Archive; coldfusion.scheduling.ScheduleTagData; coldfusion.osgi.to.ScheduleTagTO;
Use cfserialfilter.txt to customize the allowed list of classes.
Any class apart from the ones specified above is blocked for Wddx deserialization, and the same is logged in wddx.log.
What happens if your application uses additional packages?
If your applications use packages or classes that are disallowed in cfserialfilter.txt, your application does not work as expected, and an error is logged in:
<CF_HOME>/logs/wddx.log
Due to security reasons, com.sun.rowset.JdbcRowSetImpl is blocked for deserialization. Add the class or package in the file:
cfusion/lib/cfserialfilter.txt
to override the behavior and allow deserialization.
How can you identify external Java packages or classes
-
-
Copy the downloaded file in <CF_HOME>/lib/updates and restart ColdFusion.
-
Run your applications.
You'll find the list of packages or classes in <CF_HOME>/logs/wddx.log file.
-
Delete the patch after you obtain the list of packages.
What to do once additional packages or/and classes are identified?
If you want to apply the update, perform the following steps:
-
Apply the update.
-
If a deserialization vulnerability is reported in public domains for the packages or classes identified, Adobe recommends not adding those packages or classes to the allowed list.
-
Open the file cfserialfilter.txt in <CF_HOME>/lib.
-
If you want to allow a class or package, add it in the format:
- Class: java.<.package_name>.<class_name>
- Package: java.<package_name>.**
-
cfserialfilter can also be used to disallow packages/classes. To do so, follow the below format:
- Class: !java.<.package_name>.<class_name>
- Package: !java.<package_name>.**
NoteThe order in which the packages or classes are listed is important. For example, if you've allowed the package java.util.**, and you further want to block a class java.util.Date, within that package, you can do so by specifying !java.util.Date;java.util.**. If the order is reversed in this example, then by default, all the classes within the package will be allowed.
-
Restart ColdFusion.
Document revision history
- 8 April 2025: On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
- 12 March 2024: Before Update 7, the packages allowed for wddx deserialization were taken from the cfserialfilter.txt file. With Update 7, the list of allowed packages is now used as the default allowed list in the code to prevent accidental exposure to any wddx deserialization vulnerability. Also, in this update, a new package coldfusion.osgi.to.ScheduleTagTO has been added to the default list of allowed packages.
The cfserialfilter.txt can still be used to specify a customized list of packages/new packages considered safe for wddx deserialization. Note that the packages added to cfserialfilter.txt will always be given higher priority.
- References to ColdFusion 2023 (Update 3) and ColdFusion (2021) Update 9 were removed.
- Updated the default for cfserialfilter.
