Skip to content

[GHSA-cjmh-96m9-g6qr] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier... #6525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
CosmicJesterX wants to merge 1 commit into from
+20 −2
Closed

[GHSA-cjmh-96m9-g6qr] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier... #6525

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions advisories/unreviewed/2025/12/GHSA-cjmh-96m9-g6qr/GHSA-cjmh-96m9-g6qr.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,37 @@
{
"schema_version": "1.4.0",
"id": "GHSA-cjmh-96m9-g6qr",
"modified": "2025-12-10T00:30:22Z",
"modified": "2025-12-10T00:30:30Z",
"published": "2025-12-10T00:30:22Z",
"aliases": [
"CVE-2025-61810"
],
"summary": "Urgent",
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The summary "Urgent" is not informative and doesn't provide any meaningful description of the vulnerability. Consider using a more descriptive summary that explains what the vulnerability is, such as "ColdFusion Deserialization of Untrusted Data vulnerability leading to arbitrary code execution".

Suggested change
"summary": "Urgent",
"summary": "ColdFusion Deserialization of Untrusted Data vulnerability leading to arbitrary code execution",

Copilot uses AI. Check for mistakes.
"details": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could exploit this vulnerability by providing maliciously crafted serialized data to the application. Exploitation of this issue requires user interaction and scope is changed.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": ""
Comment on lines +20 to +21
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package name is empty in the affected products section. The "name" field should specify the actual package name for ColdFusion in the Packagist ecosystem, or the ecosystem should be changed to match the appropriate package manager for ColdFusion. ColdFusion is typically distributed by Adobe and may not be in Packagist at all. Consider using the correct ecosystem (e.g., "adobe" or a custom ecosystem) or removing this entry if package information is unavailable.

Suggested change
"ecosystem": "Packagist",
"name": ""
"ecosystem": "adobe",
"name": "coldfusion"

Copilot uses AI. Check for mistakes.
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
Comment on lines +28 to +30
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The affected version range is incomplete. According to the details field, ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected, but the current range specification only has an "introduced": "0" event without any upper bound or specific version information. This makes the advisory too broad and potentially inaccurate. Consider adding proper version constraints that match the vulnerability description (e.g., version ranges for 2021.x ≤ 2021.22, 2023.x ≤ 2023.16, and 2025.x ≤ 2025.4).

Suggested change
"introduced": "0"
}
]
"introduced": "2021.0"
},
{
"fixed": "2021.23"
}
]
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2023.0"
},
{
"fixed": "2023.17"
}
]
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2025.0"
},
{
"fixed": "2025.5"
}
]

Copilot uses AI. Check for mistakes.
}
]
}
],
"references": [
{
"type": "ADVISORY",
Expand Down