Last updated on
Aug 17, 2023
What is SerialFilter
The serialFilter file is a Java serialization filtering mechanism that screens and validates incoming streams of serialized Java objects before they are deserialized. This file is used to enumerate the list of disallowed packages. ColdFusion will block any package in this list from insecure deserialization to help prevent security attacks.
How to prevent it
If you’re aware of any package being reported for vulnerability in deserialization, follow the steps:
- Use the serialfilter.txt file in <CF_HOME>/lib to disallow the package, for example, !org.jgroups.**
- Restart ColdFusion.
This mechanism was updated in the following ColdFusion versions to also handle ColdFusion wddx deserialization: