Serialfilter text file

What is SerialFilter

The serialFilter file is a Java serialization filtering mechanism that screens and validates incoming streams of serialized Java objects before they are deserialized. This file is used to enumerate the list of disallowed packages. ColdFusion will block any package in this list from insecure deserialization to help prevent security attacks.

How to prevent it

If you’re aware of any package being reported for vulnerability in deserialization, follow the steps:

  1. Use the serialfilter.txt file in <CF_HOME>/lib to disallow the package, for example, !org.jgroups.**
  2. Restart ColdFusion.

This mechanism was updated in the following ColdFusion versions to also handle ColdFusion wddx deserialization:

Get help faster and easier

New user?