CVE-2025-49535

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier

Description: The issue is related to an Improper Restriction of XML External Entity Reference ('XXE') that could result in a security feature bypass. An attacker could exploit this to access sensitive information or perform a denial of service by bypassing security measures. The exploitation does not require user interaction, and the scope is modified. The vulnerable component is restricted to internal IP addresses.

Recommendations: For versions 2025.2, 2023.14, and 2021.20, update to a version that includes a fix for this issue. For versions prior to 2021.20, update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.