Adobe’s ColdFusion 2025 Update 2 introduces not only security fixes and bug resolutions, but also two new JVM flags that provide developers with more control over remote method behavior and system probe execution.
In this post, we’ll explain what these new flags do, when to use them, and how to apply them in your environment, whether you’re running a traditional ColdFusion server or working in a
🏷️ What Are JVM Flags?
JVM flags (also called system properties) are configuration options passed to the Java Virtual Machine when starting ColdFusion. They control how ColdFusion behaves at runtime, allowing you to tune features, enforce security, or activate new functionality.
You typically apply these flags in the jvm.config file, or as environment variables when using containers like Docker.
🆕 New Flags in ColdFusion 2025 Update 2
1. -Dcoldfusion.runtime.remotemethod.matchArguments
💡 What it does:
This flag enforces strict argument matching for remote CFC methods. If a remote method expects two arguments, ColdFusion will reject any calls that send more or fewer than those two.
🔍 Why it matters:
By default, ColdFusion remote functions may be lenient with parameter count. That can cause unexpected bugs or security concerns in APIs. Enabling this flag ensures that every remote method call matches its signature exactly.
✅ When to use:
- You want tighter API validation.
- You’re debugging remote methods with unexpected behavior.
- You need consistency across remote endpoints.
🛠️ How to apply:
In jvm.config:
-Dcoldfusion.runtime.remotemethod.matchArguments=trueIn Docker (as an environment variable):
-e JAVA_OPTS="-Dcoldfusion.runtime.remotemethod.matchArguments=true"
2. -Dcoldfusion.systemprobe.allowexecution
💡 What it does:
This flag controls whether system probes (background checks ColdFusion performs to verify system health) are allowed to execute programs or scripts.
🔍 Why it matters:
In some hardened or sandboxed environments, allowing ColdFusion to execute system-level probes might raise security concerns. This flag lets you control that behavior explicitly.
✅ When to use:
- You’re locking down system-level access for compliance or security
- You want to prevent ColdFusion from executing any background processes
- You’re troubleshooting system probe behavior or exceptions
🛠️ How to apply:
In jvm.config:
-Dcoldfusion.systemprobe.allowexecution=falseIn Docker:
-e JAVA_OPTS="-Dcoldfusion.systemprobe.allowexecution=false"
🔧 Where to Add JVM Flags
On Traditional (On-Prem) ColdFusion Installations:
Edit the file located at:
{cf_home}/cfusion/bin/jvm.configFind the line that starts with java.args=, and append your desired flags, like so:
java.args=-Dcoldfusion.runtime.remotemethod.matchArguments=true -Dcoldfusion.systemprobe.allowexecution=false ...
Restart ColdFusion for the changes to take effect.
In Docker or Containerized Deployments:
Add them as part of the JAVA_OPTS environment variable in your docker run command or Docker Compose config.
Example:
docker run -e JAVA_OPTS="-Dcoldfusion.runtime.remotemethod.matchArguments=true -Dcoldfusion.systemprobe.allowexecution=false" ...
Final Thoughts on the New JVM Flags in ColdFusion 2025
These new JVM flags may seem minor—but they offer big benefits when it comes to security hardening, API control, and system transparency.
- ✅ Enable matchArguments for stricter, safer remote method calls.
- ✅ Use allowexecution to prevent ColdFusion from executing local probes if you’re in a restricted environment.
Have questions about applying these flags in your setup? Feel free to reach out—we’re always happy to help you get the most out of your ColdFusion stack.
