Adobe ColdFusion Server-Side Request Forgery Vulnerability Allowing Arbitrary File System Read

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Adobe ColdFusion versions 2025.2, 2023.14, and 2021.20 and earlier. This vulnerability allows high-privilege authenticated attackers to manipulate the application into making arbitrary requests, potentially leading to unauthorized access to the file system. The issue is confined to internal IP addresses and exploitation does not require user interaction.

Impact

Exploitation of this vulnerability could result in unauthorized reading of the file system, potentially leading to exposure of sensitive information.

Remediation

Users are advised to update to ColdFusion 2025 Update 3, ColdFusion 2023 Update 15, or ColdFusion 2021 Update 21. For instructions on how to update, refer to the Adobe ColdFusion downloads page. Additionally, for ColdFusion 2025, 2023, and 2021, set the JVM flag '-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;' in the respective startup file for the application server being used.