[GHSA-cjmh-96m9-g6qr] ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier...#6525
Conversation
github-actions
bot
changed the base branch from
main
to
CosmicJesterX/advisory-improvement-6525
This comment was marked as spam.
This comment was marked as spam.
There was a problem hiding this comment.
Pull request overview
This PR updates a GitHub Security Advisory for a ColdFusion deserialization vulnerability (CVE-2025-61810). The changes add metadata about affected products and a summary field to provide more complete vulnerability information.
- Added a "summary" field with the value "Urgent"
- Populated the "affected" array with package information for Packagist ecosystem
- Updated the "modified" timestamp to reflect the changes
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
advisories/unreviewed/2025/12/GHSA-cjmh-96m9-g6qr/GHSA-cjmh-96m9-g6qr.json
Show resolved
Hide resolved
| "ecosystem": "Packagist", | ||
| "name": "" |
There was a problem hiding this comment.
The package name is empty in the affected products section. The "name" field should specify the actual package name for ColdFusion in the Packagist ecosystem, or the ecosystem should be changed to match the appropriate package manager for ColdFusion. ColdFusion is typically distributed by Adobe and may not be in Packagist at all. Consider using the correct ecosystem (e.g., "adobe" or a custom ecosystem) or removing this entry if package information is unavailable.
| "ecosystem": "Packagist", | |
| "name": "" | |
| "ecosystem": "adobe", | |
| "name": "coldfusion" |
| "introduced": "0" | ||
| } | ||
| ] |
There was a problem hiding this comment.
The affected version range is incomplete. According to the details field, ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected, but the current range specification only has an "introduced": "0" event without any upper bound or specific version information. This makes the advisory too broad and potentially inaccurate. Consider adding proper version constraints that match the vulnerability description (e.g., version ranges for 2021.x ≤ 2021.22, 2023.x ≤ 2023.16, and 2025.x ≤ 2025.4).
| "introduced": "0" | |
| } | |
| ] | |
| "introduced": "2021.0" | |
| }, | |
| { | |
| "fixed": "2021.23" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "2023.0" | |
| }, | |
| { | |
| "fixed": "2023.17" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "ECOSYSTEM", | |
| "events": [ | |
| { | |
| "introduced": "2025.0" | |
| }, | |
| { | |
| "fixed": "2025.5" | |
| } | |
| ] |
|
Hi @CosmicJesterX, I'm closing this PR because Adobe ColdFusion is a proprietary product and not part of one of the GitHub Advisory Database's supported ecosystems. Thank you for your interest in GHSA-cjmh-96m9-g6qr. |
Updates
Comments
pslplspls