Serialfilter text file

Last update:

May 18, 2026

What is SerialFilter

The serialFilter file is a Java serialization filtering mechanism that screens and validates incoming streams of serialized Java objects before they are deserialized. This file is used to enumerate the list of disallowed packages. ColdFusion will block any package in this list from insecure deserialization to help prevent security attacks.

How to prevent it

If you’re aware of any package being reported for vulnerability in deserialization, follow the steps:

Use the serialfilter.txt file in <CF_HOME>/lib to disallow the package, for example, !org.jgroups.**
Restart ColdFusion.

This mechanism was updated in the following ColdFusion versions to also handle ColdFusion wddx deserialization:

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!

Serialfilter text file

What is SerialFilter

How to prevent it

On this page