Plattform
java
Komponente
coldfusion
Behoben in
2021.19.1
CVE-2025-54234 describes a Server-Side Request Forgery (SSRF) vulnerability affecting ColdFusion versions 0 through 2021.19. This vulnerability allows a high-privilege authenticated attacker to inject arbitrary URLs, forcing the application to make requests to unintended locations. The vulnerability is rated as CVSS 2.7 (LOW) and can result in limited file system reads.
The SSRF vulnerability in ColdFusion allows an attacker with authenticated access to manipulate the application's outbound requests. By injecting malicious URLs, an attacker can potentially trigger the server to access internal resources or external systems that it shouldn't. While the vulnerability is rated as LOW severity, successful exploitation could lead to the exposure of sensitive file system data, potentially including configuration files or other sensitive information. This could be a stepping stone for further attacks, such as privilege escalation or data exfiltration. The lack of user interaction required for exploitation increases the risk.
CVE-2025-54234 was published on 2025-08-18. No public proof-of-concept (PoC) code is currently available. The vulnerability's CVSS score of 2.7 indicates a low probability of exploitation. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not currently known.
Organizations running ColdFusion versions 0 through 2021.19, particularly those with internal applications or services that rely on ColdFusion, are at risk. Environments where ColdFusion is used for processing user-supplied data without proper input validation are especially vulnerable.
• java / server:
ps aux | grep -i coldfusion• java / server:
journalctl -u coldfusion -f | grep -i "Server-Side Request Forgery"• generic web:
curl -I <coldfusion_url>• generic web:
grep -r "Server-Side Request Forgery" /opt/coldfusion/cfusion/wwwroot/includes/ # Adjust path as neededdisclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-54234 is to upgrade to ColdFusion version 2025.1 or later, which includes the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Restricting outbound network access using a firewall or proxy server can limit the potential impact of the vulnerability by preventing the application from making requests to unauthorized destinations. Thoroughly validate all user-supplied URLs to prevent malicious injection. Regularly review and update ColdFusion's configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability and verifying that the request is blocked.
Aktualisieren Sie ColdFusion auf Version 2025.1, 2023.13 oder 2021.19 oder höher. Dies behebt die SSRF-Schwachstelle. Weitere Details und spezifische Anweisungen finden Sie im Adobe Security Bulletin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-54234 is a Server-Side Request Forgery (SSRF) vulnerability affecting ColdFusion versions 0 through 2021.19, allowing attackers to force the application to make arbitrary requests.
You are affected if you are running ColdFusion versions 0–2021.19. Upgrade to ColdFusion 2025.1 or later to mitigate the risk.
Upgrade to ColdFusion version 2025.1 or later. As a temporary workaround, implement input validation on URLs and configure a WAF to block suspicious requests.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-54234.
Please refer to the official Adobe Security Bulletin for CVE-2025-54234: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.txt](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.txt)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.