DEV Community

Cover image for ColdFusion CFMail Broken After Security Update: Diagnosing the Felix Cache Issue
Deepak Sir
Deepak Sir

Posted on • Originally published at Medium

ColdFusion CFMail Broken After Security Update: Diagnosing the Felix Cache Issue

If suddenly stopped sending after you applied a 2025 ColdFusion security update — and your logs show java.lang.VerifyError: Bad type on operand stack pointing at coldfusion/mail/MailImpl.signMail and a BouncyCastle SMIME class — you've hit a known, Adobe-acknowledged issue. The cause is a classloader conflict in ColdFusion's OSGi/Felix bundle cache: the security update brought in updated packages, but the stale felix-cache causes ColdFusion to load an incompatible version of the BouncyCastle cryptography library that uses internally (even when you're not signing messages). The official workaround is to stop ColdFusion, delete the felix-cache folder at cfusion/bin/felix-cache (or [instanceName]/bin/felix-cache for named instances), and restart — ColdFusion recreates it cleanly on startup. This began with updates like CF2021 Update 21, CF2023 Update 15, and the CF2025 update series (July 2025 onward), Adobe added it to the update technotes as a "known issue," and Adobe has a direct fix available via cfinstal@adobe.com. Do not skip the security update because of this — the vulnerabilities it fixes are far more dangerous than a mail outage with a known fix. This guide walks through diagnosing and resolving it.
Read More

Top comments (0)