CVE-2025-49539

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier

Description: The issue is related to an Improper Restriction of XML External Entity Reference ('XXE') that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

Recommendations: For ColdFusion versions 2025.2, 2023.14, and 2021.20, update to a version that includes a fix for the XXE vulnerability. For versions prior to 2021.20, update to a version that includes a fix for the XXE vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.