ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to limited file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
Conclusion & alert: CVE-2025-54234 is rated Low Risk (28.6/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.75%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.34% | 0.75% | +0.41% |
| 2 | 2026-06-14 | 0.05% | 0.34% | +0.29% |
| 3 | 2026-04-23 | — | 0.05% | — |
Full EPSS history (9 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.7 | 3.1 | LOW |
|
1.2 | 1.4 | [email protected] |
| 2.7 | 3.1 | LOW |
|
1.2 | 1.4 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:* |
| adobe | coldfusion | 2021 | cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:* |
| adobe | coldfusion | 2023 | cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:* |
| adobe | coldfusion | 2025 | cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://helpx.adobe.com/security/products/coldfusion/apsb25-52.html | Vendor Advisory |