Plataforma
java
Componente
coldfusion
Corregido en
2021.19.1
CVE-2025-54234 describes a Server-Side Request Forgery (SSRF) vulnerability affecting ColdFusion versions 0 through 2021.19. This vulnerability allows a high-privilege authenticated attacker to inject arbitrary URLs, forcing the application to make requests to unintended locations. The vulnerability is rated as CVSS 2.7 (LOW) and can result in limited file system reads.
The SSRF vulnerability in ColdFusion allows an attacker who has authenticated access to the system to manipulate the application into making requests to internal or external resources that it shouldn't. This can lead to the exposure of sensitive information, such as internal configuration files or data stored on the file system. While the vulnerability is rated as LOW severity, successful exploitation could provide an attacker with a foothold for further reconnaissance or lateral movement within the network. The ability to read files, even if limited, can reveal credentials or other sensitive data that could be used to escalate privileges or compromise other systems.
CVE-2025-54234 was published on 2025-08-18. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not currently available.
Organizations running ColdFusion versions 0 through 2021.19, particularly those with internal applications or services that rely on ColdFusion, are at risk. Environments where ColdFusion is used for processing user-supplied data without proper input validation are especially vulnerable.
• java / server:
ps aux | grep -i coldfusion• java / server:
journalctl -u coldfusion -f | grep -i "Server-Side Request Forgery"• generic web:
curl -I <coldfusion_url>• generic web:
grep -r "Server-Side Request Forgery" /opt/coldfusion/cfusion/wwwroot/includes/ # Adjust path as neededdisclosure
Estado del Exploit
EPSS
0.05% (15% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-54234 is to upgrade to ColdFusion version 2025.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation on any URLs that are accepted by the application to prevent attackers from injecting malicious URLs. Web application firewalls (WAFs) configured to block requests to internal or sensitive resources can also provide a layer of protection. Regularly review ColdFusion configuration to ensure least privilege access is enforced for all users.
Actualice ColdFusion a la versión 2025.1, 2023.13 o 2021.19 o posterior. Esto solucionará la vulnerabilidad SSRF. Consulte el boletín de seguridad de Adobe para obtener más detalles e instrucciones específicas.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-54234 is a Server-Side Request Forgery (SSRF) vulnerability affecting ColdFusion versions 0 through 2021.19, allowing attackers to force the application to make arbitrary requests.
You are affected if you are running ColdFusion versions 0–2021.19. Upgrade to ColdFusion 2025.1 or later to mitigate the risk.
Upgrade to ColdFusion version 2025.1 or later. As a temporary workaround, implement input validation on URLs and configure a WAF to block suspicious requests.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-54234.
Please refer to the official Adobe Security Bulletin for CVE-2025-54234: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.txt](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.txt)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.