EUVD-2025-20704
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
Analysis
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
Technical Context
Server-Side Request Forgery allows an attacker to induce the server to make HTTP requests to arbitrary destinations, including internal services. This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918).
Affected Products
Affected products: Adobe Coldfusion 2021
Remediation
Validate and whitelist allowed URLs and IP ranges. Block requests to internal/private IP ranges. Use network segmentation to limit server-side request scope.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today