Introduction
In this post I'm going to cover the technical details of a security sandbox escape technique that affects Adobe ColdFusion and Lucee Server. These vulnerabilities are tracked as CVE-2025-30288 and CVE-2024-55354, and were announced in April 2025. The resulting patches changed the default way that ColdFusion handled precompiled CFML (Java bytecode) in .cfm and .cfc files.
Before we get into the technical details, it's worth noting that an attacker needs to be able to write files to the server in order to exploit the vulnerability. As a result, this vulnerability is primarily a risk to shared hosting environments where CFML sandbox controls are in use. (If an attacker or malicious user can write files to your single-tenant environment, you probably have bigger, more immediate security concerns beyond sandbox escapes.)
Get ready for what I hope is an interesting trip through ColdFusion internals, some Java, and other technical depths. This was a fun one to find, explore, and exploit.
