Adobe Security Bulletin

Search

Security updates available for Adobe ColdFusion | APSB25-105

Bulletin ID

Date Published

Priority

APSB25-105

December 9, 2025

1

Summary

Adobe has released security updates for ColdFusion versions 2025, 2023 and 2021. These updates resolves critical and important vulnerability that could lead to arbitrary file system write, arbitrary file system read, arbitrary code execution, security feature bypass, and priviledge escalation. 

 Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

Affected Versions

Product

Update number

Platform

ColdFusion 2025

Update 4 and earlier versions

All

ColdFusion 2023

Update 16 and earlier versions
  

All

ColdFusion 2021

Update 22 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Product

Updated Version

Platform

Priority rating

Availability

ColdFusion 2025

Update 5

All

1

Tech Note

ColdFusion 2023

Update 17

All

1

Tech Note

ColdFusion 2021

Update 23

All

1

Tech Note
Note

For security reasons, we strongly recommend to use latest mysql java connector. For more information on its usage, please  refer to: https://helpx.adobe.com/coldfusion/kb/coldfusion-configuring-mysql-jdbc.html

 See the updated serial filter documentation for more details on protection against insecure deserialization attacks: https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html

Vulnerability Details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score 

CVSS vector

CVE Numbers

Unrestricted Upload of File with Dangerous Type (CWE-434)

 

Arbitrary code execution

Critical

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2025-61808

Improper Input Validation (CWE-20)

Security feature bypass

Critical

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2025-61809

Deserialization of Untrusted Data (CWE-502)

Arbitrary code execution

Critical

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2025-61830

Deserialization of Untrusted Data (CWE-502)

Arbitrary code execution

Critical

8.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2025-61810

Improper Access Control (CWE-284)

Arbitrary code execution

Critical

8.4

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2025-61811

Improper Input Validation (CWE-20)

Arbitrary code execution

Critical

8.4

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2025-61812

Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

Arbitrary file system read

Critical

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L

CVE-2025-61813

Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

Arbitrary file system read

Important

6.8


CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE-2025-61821

Improper Input Validation (CWE-20)

Arbitrary file system write

Important

6.2

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

CVE-2025-61822

Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

Arbitrary file system read

Important

6.2

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Important

CVE-2025-61823

Improper Access Control (CWE-284)

Priviledge escalation

Important

5


CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H

CVE-2025-64897

Insufficiently Protected Credentials (CWE-522)

Priviledge escalation

Important

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVE-2025-64898

Acknowledgements:

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:   

  • Brian Reilly (reillyb) -- CVE-2025-61808, CVE-2025-61809
  • Nhien Pham (nhienit2010) -- CVE-2025-61812, CVE-2025-61822, CVE-2025-61823
  • nbxiglk -- CVE-2025-61810, CVE-2025-61811, CVE-2025-61813, CVE-2025-61821, CVE-2025-61830
  • Karol Mazurek (cr1m5on) -- CVE-2025-64897
  • bytehacker_sg -- CVE-2025-64898

NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe

Note

Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release as a secure practice. The ColdFusion downloads page is regularly updated to include the latest Java installers for the JDK version your installation supports as per the matrices below. 

For instructions on how to use an external JDK, view Change ColdFusion JVM

Adobe also recommends applying the security configuration settings included in the ColdFusion Security documentation as well as review the respective Lockdown guides.    

ColdFusion JDK Requirement

COLDFUSION 2025 (version 2023.0.0.331385) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**; " in the respective startup file depending on the type of Application Server being used.

For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

 

COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;" in the respective startup file depending on the type of Application Server being used.

For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

 

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers   

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;"

in the respective startup file depending on the type of Application Server being used.

For example:   

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com 

Adobe, Inc.

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy