Skip to main content

Adobe ColdFusion CVE-2025-61813

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2025-12-10 psirt@adobe.com
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 28, 2026 - 03:31 vuln.today

DescriptionCVE.org

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed.

AnalysisAI

XML External Entity (XXE) injection in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier allows remote attackers to read arbitrary files from the server filesystem via maliciously crafted XML documents requiring user interaction. The vulnerability achieves scope change (CVSS S:C), meaning exploitation can affect resources beyond the vulnerable component. Adobe has released patches in APSB25-105. No confirmed active exploitation (CISA KEV) or public POC identified at time of analysis. EPSS data not available.

Technical ContextAI

CWE-611 XXE vulnerabilities occur when XML parsers are configured to process external entity references without proper restrictions. ColdFusion's XML processing components (likely CFML's XMLParse(), XML-related tags, or web service handlers) fail to disable external entity resolution, allowing attackers to inject malicious Document Type Definitions (DTDs) that reference local file:// URIs or network resources. The CVSS scope change (S:C) indicates the vulnerable XML parser operates with different security context or privileges than the affected ColdFusion application component, enabling cross-boundary impacts. CPE data identifies three major version lines affected: ColdFusion 2021 (base through Update 17+), 2023 (through Update 16), and 2025 (through Update 4), spanning Adobe's current supported product lifecycle.

RemediationAI

Apply Adobe-released patches from Security Bulletin APSB25-105 (https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html) immediately: upgrade ColdFusion 2021 to Update 23 or later, ColdFusion 2023 to Update 17 or later, and ColdFusion 2025 to Update 5 or later (exact patched versions confirmed in APSB25-105). If patching cannot be completed immediately, implement compensating controls: disable or restrict access to ColdFusion features that process external XML input (CFML XMLParse, CFINVOKE web services, REST API XML handlers) to authenticated administrators only; implement strict XML input validation rejecting DOCTYPE declarations and external entity references at application firewalls or reverse proxies (may break legitimate XML processing workflows requiring DTDs); configure ColdFusion's Sandbox Security to restrict file system read access for applications processing untrusted XML (performance overhead and requires careful permission tuning). For ColdFusion 2021 nearing end-of-support, prioritize migration planning to currently supported versions alongside patching.

Share

CVE-2025-61813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy