Adobe has just dropped ColdFusion 2025 Update 2 (released May 13, 2025), and it’s packed with critical security fixes, key feature updates, and several long-requested bug resolutions. Whether you’re running mission-critical applications or just dabbling in CFML, this update is one you shouldn’t skip.
Let’s break down what’s new, what’s changed, and why it matters to you.
🔐 Critical Security Fixes
At the top of the list are patches for multiple vulnerabilities, including:
- Arbitrary file system reads
- Arbitrary code execution
- Privilege escalation
- Security feature bypasses
These are serious issues that could expose your applications and infrastructure if left unpatched. Adobe has released Security Bulletin APSB25-52, which outlines the technical details.
⚠️ Note: If you’ve customized your serialfilter.txt file, the update will replace it. Be sure to back up your custom entries and restore them afterward.
🧪 Remote Method Behavior Has Changed
This update introduces stricter validation for remote CFC methods. If a remote function expects two parameters, it now must receive exactly two. Extra parameters will throw an error.
Example:
<cffunction name="getUser" access="remote">
<cfargument name="userId">
</cffunction>
Calling this method with more than one parameter will now fail.
Why it matters: This improves debugging and enforces tighter API contracts — but could break integrations if you’re not prepared.
To control this behavior, Adobe added a new JVM flag:
-Dcoldfusion.runtime.remotemethod.matchArguments=true 🧩 New JVM Flags
Update 2 introduces two new JVM arguments:
- -Dcoldfusion.runtime.remotemethod.matchArguments: Enables strict parameter matching for remote methods.
- -Dcoldfusion.systemprobe.allowexecution: Controls whether system probes can execute commands.
You can view all supported JVM arguments in the official documentation.
🔧 Bug Fixes You’ve Been Waiting For
Several annoying bugs have been squashed:
- ✅ PDF generation issues from previous updates have been resolved.
- ✅ Scheduled tasks not saving output to file are fixed — with a catch (see below).
- ✅ Docker CLI command t.cfm no longer causes Null Pointer Exceptions.
- ✅ Add-on installer issues and broken FTP/ZIP packages are now addressed.
- ✅ AWS AMI deployments throwing isAutoRestartInstances errors are fixed.
Heads-up: For some issues (like scheduled tasks), you may still need to manually back up and restore neo-cron.xml.
📁 Path Filter Upgrade: From TXT to JSON
The previous pathfilter.txt file has been replaced by a more structured pathfilter.json, allowing finer-grained control over:
- Bytecode execution paths
- Scheduler execution paths
Here’s what the new format looks like:
{
"bytecodeexecutionpaths": "",
"schedulerexecutionpaths": ""
}
Tasks writing to the file system must now be whitelisted in this file, or they won’t work.
⚙️ Admin API Enhancement
A new Admin API method has been added:
obj = createObject("component","cfide.adminapi.scheduler")
writeOutput(obj.canSystemProbeExecuteFile())
This helps you determine whether system probes can run, which is useful for scripting and diagnostics.
🧱 Add-on Installer Updates
Adobe has refreshed the add-on installers for this update. If you’re using features like PDFg, Solr, or the Performance Monitoring Toolset, download the latest versions to avoid compatibility issues.
🧭 Known Issues (and Workarounds)
While Update 2 fixes a lot, it introduces a few caveats:
- CAR files may fail if the /packages folder is missing.
- On non-Windows systems, editing the local PDF service can cause it to disappear due to jetty-ipaccess.xml blocking 127.0.0.1. ✅ Workaround: manually whitelist the IP.
- Scheduled tasks using “Save output to file” may be removed unless explicitly allowed in pathfilter.json.
Always back up your configs (neo-cron.xml, etc.) before updating!
🎯 Final Thoughts
ColdFusion 2025 Update 2 is more than a patch — it’s a significant quality and security upgrade. Between security hardening, stricter enforcement of remote methods, and improved path control, this update modernizes how ColdFusion apps handle input, output, and access control.
Don’t delay — patch today.
If you need assistance preparing or rolling out this update in production, please don’t hesitate to contact us. Better safe than sorry!
