[GHSA-cjmh-96m9-g6qr] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier... #6525
Conversation
github-actions
bot
changed the base branch from
main
to
CosmicJesterX/advisory-improvement-6525
|
they been rtaking over vercel for days now. just 1h on |
There was a problem hiding this comment.
Pull request overview
This PR updates a GitHub Security Advisory for a ColdFusion deserialization vulnerability (CVE-2025-61810). The changes add metadata about affected products and a summary field to provide more complete vulnerability information.
- Added a "summary" field with the value "Urgent"
- Populated the "affected" array with package information for Packagist ecosystem
- Updated the "modified" timestamp to reflect the changes
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "aliases": [ | ||
| "CVE-2025-61810" | ||
| ], | ||
| "summary": "Urgent", |
There was a problem hiding this comment.
The summary "Urgent" is not informative and doesn't provide any meaningful description of the vulnerability. Consider using a more descriptive summary that explains what the vulnerability is, such as "ColdFusion Deserialization of Untrusted Data vulnerability leading to arbitrary code execution".
| "summary": "Urgent", | |
| "summary": "ColdFusion Deserialization of Untrusted Data vulnerability leading to arbitrary code execution", |
| "ecosystem": "Packagist", | ||
| "name": "" |
There was a problem hiding this comment.
The package name is empty in the affected products section. The "name" field should specify the actual package name for ColdFusion in the Packagist ecosystem, or the ecosystem should be changed to match the appropriate package manager for ColdFusion. ColdFusion is typically distributed by Adobe and may not be in Packagist at all. Consider using the correct ecosystem (e.g., "adobe" or a custom ecosystem) or removing this entry if package information is unavailable.
| "ecosystem": "Packagist", | |
| "name": "" | |
| "ecosystem": "adobe", | |
| "name": "coldfusion" |
| "introduced": "0" | ||
| } | ||
| ] |
There was a problem hiding this comment.
The affected version range is incomplete. According to the details field, ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected, but the current range specification only has an "introduced": "0" event without any upper bound or specific version information. This makes the advisory too broad and potentially inaccurate. Consider adding proper version constraints that match the vulnerability description (e.g., version ranges for 2021.x ≤ 2021.22, 2023.x ≤ 2023.16, and 2025.x ≤ 2025.4).
| "introduced": "0" | |
| } | |
| ] | |
| "introduced": "2021.0" | |
| }, | |
| { | |
| "fixed": "2021.23" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "2023.0" | |
| }, | |
| { | |
| "fixed": "2023.17" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "2025.0" | |
| }, | |
| { | |
| "fixed": "2025.5" | |
| } | |
| ] |
Updates
Comments
pslplspls