Latest Security Updates (September 2025)
The most recent security updates were released on September 9, 2025:
- ColdFusion 2025: Update 4
- ColdFusion 2023: Update 16
- ColdFusion 2021: Update 22
These September updates address a critical path traversal vulnerability (CVE-2025-54261) that could lead to arbitrary file system write, documented in security bulletin APSB25-93.
Previous 2025 Security Updates
July 2025 Updates
Released on July 8, 2025:
- ColdFusion 2025: Update 3
- ColdFusion 2023: Update 15
- ColdFusion 2021: Update 21
These updates included Tomcat upgrades to version 9.0.106 in CF2023 and CF2021, and Tomcat 10.1.42 in ColdFusion 2025.
May 2025 Updates
Released on May 13, 2025:
- ColdFusion 2025: Update 2
- ColdFusion 2023: Update 14
- ColdFusion 2021: Update 20
These resolved 7 critical vulnerabilities and 1 important vulnerability (APSB25-52).
April 2025 Updates
Released on April 8, 2025:
- ColdFusion 2025: Update 1
- ColdFusion 2023: Update 13
- ColdFusion 2021: Update 19
These resolved 11 critical vulnerabilities and 4 important vulnerabilities (APSB25-15).
What’s Included in the Security Updates
The 2025 security updates include:
- Tomcat upgrades to newer, more secure versions
- Security fixes for vulnerabilities including arbitrary file reads, code execution, privilege escalation, and security feature bypass
- New JVM flags for improved performance and security
- Changes to remote methods for enhanced security (requiring explicit argument definitions)
- OEM upgrades and various bug fixes
- IP restrictions for the jetty (ColdFusion Add On Services) server used for Solr and cfhtmltopdf
Critical Issue: CFMail Functionality Breaks After Updates
The Problem
The CFMail issue that first appeared with the July updates continues to affect administrators. Multiple users report that CFMail tags stop working after applying security updates. The error manifests as:
Bad type on operand stack
Exception Details:
Location: coldfusion/mail/MailImpl.signMail(...)
Reason: Type 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute'
(current frame, stack[1]) is not assignable to 'org/bouncycastle/asn1/ASN1Encodable'
This affects all versions that received the 2025 security updates.
The Solution: Clear Felix Cache
The community-identified workaround remains the same:
Steps to fix CFMail issues:
- Stop ColdFusion service
- Delete the felix-cache directory
- Location: [CF Installation]/cfusion/bin/felix-cache/
- Some users also needed to delete the felix-the-cat folder
- Restart ColdFusion service
Adobe has officially acknowledged this workaround in their technical notes for Update 3 and later updates.
Important Updates on the Issue
As of August 2025, Adobe reported having a fix available for the CFMail issue, with users advised to contact cfinstal@adobe.com for assistance. However, many administrators report the issue persists even with the September updates.
Some administrators have found they need to clear the felix cache multiple times – not just after the initial update, but also after subsequent ColdFusion restarts or crashes. This suggests an underlying problem with how the updates handle certain Java libraries.
What this means for you:
- Monitor your CFMail functionality closely after applying updates
- Be prepared to clear the felix cache multiple times
- Document your felix cache clearing procedures for rapid response
- Track the official bug report: CF-4227360
Docker Container Issues
The Problem
Administrators using ColdFusion Docker containers may experience deployment failures when security updates are first released. Containers can hang during package installation with the message requiring manual confirmation.
The Solution
Adobe typically updates Docker images 1-2 days after security updates are released. If you encounter this issue:
- Wait for updated Docker images
- Use manual offline updates if immediate deployment is required
- Pin package versions temporarily in your Docker configuration
Known Issues with Recent Updates
September 2025 Updates (Update 4/16/22)
No known issues reported at this time – the updates appear to be stable, though the felix cache issue from July persists.
Other Ongoing Issues
- On non-Windows systems, editing the local PDF service from ColdFusion Administrator may remove the service
- The CAR (ColdFusion Archive) build process fails if the cfusion/packages directory doesn’t exist
- In some cases, scheduled tasks are deleted if “Publish to a log file” option is enabled
Best Practices for Applying Security Updates
Pre-Update Preparation
- Test in non-production environments first
- Backup your felix-cache directory before updating
- Document your current CFMail configuration for quick troubleshooting
- Plan for potential CFMail downtime and user communication
- If you use MySQL, Adobe recommends using the latest MySQL Connector (version 8.0.15 or later)
During Update
- Apply updates during maintenance windows
- Monitor application logs closely during and after the update
- Test CFMail functionality immediately after the update completes
- Note that pathfilter.txt will be updated – backup any custom modifications
Post-Update Monitoring
- Verify all mail functions are working correctly
- Check application error logs for any new issues
- Monitor for recurring felix cache issues
- Consider using the “cfpm purgecache” command as an alternative to manually deleting the felix-cache folder
- Keep the cache clearing procedure documented for quick response
For Docker Users
- Wait for official updated images rather than forcing updates
- Use specific version tags instead of “latest” for more predictable deployments
- Ensure container networking allows access to Adobe’s update servers if needed
Additional Security Considerations
With the April 2025 updates, Adobe added IP restrictions for the Jetty server (ColdFusion Add On Services), which is used for Solr and cfhtmltopdf. Typically, you only access this server over localhost.
Remote method arguments must now be explicitly defined in functions (e.g., as cfargument tags) following the May updates.
Looking Forward
While the September 2025 updates successfully address the path traversal vulnerability, the CFMail issue that began with the July updates represents an ongoing concern for production environments. Adobe has acknowledged the problem and claims to have a fix available through direct contact, though many administrators continue to rely on the Felix cache-clearing workaround.
Recommendations:
- Apply security updates despite the CFMail issue – the security fixes are critical
- Implement monitoring for CFMail functionality
- Follow the official bug report (CF-4227360) for updates from Adobe
- Maintain documentation of your Felix cache clearing procedures
- Consider submitting feature requests for automatic Felix cache clearing on CF startup
- Contact cfinstal@adobe.com if CFMail issues persist after clearing the cache
Conclusion
The 2025 ColdFusion security updates bring essential security improvements but require careful handling due to the ongoing CFMail functionality issue. By understanding the problems and having solutions ready, administrators can maintain both security and functionality while Adobe works on a permanent fix.
The community response to these issues demonstrates the value of the ColdFusion administrator network – problems were quickly identified and solutions shared. Stay engaged with the community forums for the latest updates and workarounds.
Remember: Security updates should not be delayed due to functional issues. The vulnerabilities addressed in these updates pose greater risks than the CFMail caching problem, which has a known workaround.
More info
- APSB25-93 – Adobe Product Security Bulletin
- CF2025 Update 4 – Adobe KB article for ColdFusion 2025 Update 4
- CF2023 Update 16 – Adobe KB article for ColdFusion 2023 Update 16
- CF2021 Update 22 – Adobe KB article for ColdFusion 2021 Update 22
- Forum Thread – Adobe ColdFusion forum thread discussing CF2023u16 and CF2021u22, and CF2025u4.
