XML External Entity Reference Vulnerability in ColdFusion by Adobe
CVE-2025-61813

8.2HIGH

Key Information:

Vendor: Adobe
Status: Coldfusion
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-61813?

ColdFusion versions 2025.4, 2023.16, and 2021.22, along with earlier versions, suffer from an Improper Restriction of XML External Entity Reference vulnerability. This flaw allows attackers to exploit the system and gain unauthorized access to sensitive files located on the server. The exploitation process does not necessitate user interaction, indicating a significant risk to server data security. For detailed information and guidance on mitigation, refer to the official Adobe security advisory.

Affected Version(s)

ColdFusion 0 <= 2021.22

References

https://helpx.adobe.com/security/products/coldfusion/apsb...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Oct 1, 2025

JSON