Sandbox Security Escapes in ColdFusion and Lucee (CVE-2025-30288 and CVE-2024-55354)

Introduction

In this post I'm going to cover the technical details of a security sandbox escape technique that affects Adobe ColdFusion and Lucee Server.  These vulnerabilities are tracked as CVE-2025-30288 and CVE-2024-55354, and were announced in April 2025.  The resulting patches changed the default way that ColdFusion handled precompiled CFML (Java bytecode) in .cfm and .cfc files.

Before we get into the technical details, it's worth noting that an attacker needs to be able to write files to the server in order to exploit the vulnerability.  As a result, this vulnerability is primarily a risk to shared hosting environments where CFML sandbox controls are in use.  (If an attacker or malicious user can write files to your single-tenant environment, you probably have bigger, more immediate security concerns beyond sandbox escapes.)

Get ready for what I hope is an interesting trip through ColdFusion internals, some Java, and other technical depths.  This was a fun one to find, explore, and exploit. 

CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths

 In May I had the pleasure of attending my first CFCamp, where I spoke about CFML security.

The slides from my talk -- Understanding CFML Vulnerabilities, Exploits, and Attack Paths -- are now online below.  With an added bonus of Bavaria in Springtime!

An SSRF to LFI Payload for PDF Generators (CVE-2024-34112 and beyond)

"Hola, amigos. How’s it hangin’? I know it’s been a long time since I last rapped at ya, but I've been busier than a feather plucker on nickel wing night, ya know?  You old buddy Jimbo found some discarded books out back next to the dumpster at the inconvenience store about something called 'Cold Fusion' and I've been reading through those bad boys.  Shoulda called it CON-Fusion if ya ask me.  But I've been having trouble reading the printed word and gettin' these awful headaches ever since I popped in side two of 'Hemispheres' and lit up some sweet Thai Stick I found underneath the passenger side seat of my crapbox Festiva -- that turned out to be the taquito I dropped last July after the Dane County Fair.  It just goes to show ya, yours truly can't catch a break in this world."

[ It was at this point that we decided it wouldn't be a good idea to let Mr. Anchower write the entire blog post.  We weren't wrong.   -Ed. ]

Ahem.  Quick post for today on an SSRF payload that can potentially be used for local file retrieval.  I'll be framing it in the context of CVE-2024-34112, but it could be a viable attack against any application that is doing server-side PDF generation with user-controlled data.