2021.19.1
CVE-2025-54234 describes a Server-Side Request Forgery (SSRF) vulnerability affecting ColdFusion versions 0 through 2021.19. This vulnerability allows a high-privilege authenticated attacker to inject arbitrary URLs, forcing the application to make requests to unintended locations. The vulnerability is rated as CVSS 2.7 (LOW) and can result in limited file system reads.
The SSRF vulnerability in ColdFusion allows an attacker who has authenticated access to the system to manipulate the application into making requests to internal or external resources that it shouldn't. This can lead to the exposure of sensitive information, such as internal configuration files or data stored on the file system. While the vulnerability is rated as LOW severity, successful exploitation could provide an attacker with a foothold for further reconnaissance or lateral movement within the network. The ability to read files, even if limited, can reveal credentials or other sensitive data that could be used to escalate privileges or compromise other systems.
CVE-2025-54234 was published on 2025-08-18. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not currently available.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54234 is to upgrade to ColdFusion version 2025.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation on any URLs that are accepted by the application to prevent attackers from injecting malicious URLs. Web application firewalls (WAFs) configured to block requests to internal or sensitive resources can also provide a layer of protection. Regularly review ColdFusion configuration to ensure least privilege access is enforced for all users.
Update ColdFusion to version 2025.1, 2023.13 or 2021.19 or later. This will resolve the SSRF vulnerability. See the Adobe security bulletin for more details and specific instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54234 is a Server-Side Request Forgery (SSRF) vulnerability affecting ColdFusion versions 0 through 2021.19, allowing attackers to force the application to make arbitrary requests.
You are affected if you are running ColdFusion versions 0–2021.19. Upgrade to ColdFusion 2025.1 or later to mitigate the risk.
Upgrade to ColdFusion version 2025.1 or later. As a temporary workaround, implement input validation on URLs and configure a WAF to block suspicious requests.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-54234.
Please refer to the official Adobe Security Bulletin for CVE-2025-54234: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.txt](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.txt)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.