Whatever message this page gives is out now! Go check it out!

JVM arguments in ColdFusion (2025 release)

Last update:
May 18, 2026
JVM arguments in this release
JVM argumentDefaultDescription
-Dcoldfusion.attachment.allowblockedextensionsFalseControls whether ColdFusion permits attachments with file extensions that are blocked by default for security reasons. When set to false (default), blocked file types cannot be attached. Setting the flag to true allows these file types to be attached, which may be required for specific trusted use cases but can increase security risk.
-Dcoldfusion.xml.saxon.allowEnvironmentVariableFalseControls whether ColdFusion permits the environment-variable() function in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), this function is blocked, preventing stylesheets from reading environment variables from the host system. Set to true only if your deployment explicitly requires this capability.
-Dcoldfusion.xml.saxon.allowResultDocumentFalseControls whether ColdFusion permits the use of xsl:result-document in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), xsl:result-document is blocked, preventing stylesheets from writing output to arbitrary file paths on the server. Set to true only if your deployment explicitly requires this capability.
-Dcoldfusion.xml.saxon.allowUnparsedTextFalseControls whether ColdFusion permits the unparsed-text() function family in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), these functions are blocked, preventing stylesheets from reading arbitrary files from the server file system. Set to true only if your deployment explicitly requires this capability.
-Dcoldfusion.xml.saxon.allowDocFunctionFalseControls whether ColdFusion permits the doc(), doc-available(), and document() functions in XSLT stylesheets processed by XMLSearch and XMLTransform. When set to false (default), these functions are blocked, preventing stylesheets from loading external or server-side XML documents. Set to true only if your deployment explicitly requires this capability.
JVM arguments in ColdFusion 2025.0.08
JVM argumentDefaultDescription
-Dcoldfusion.async.emptyfuture.blocking True
Controls how ColdFusion handles get() calls on incomplete empty futures created by runAsync() (i.e., promises with no associated task body that have not yet been completed).
When true (default), ColdFusion follows the JVM’s CompletableFuture semantics:
  • get() on an incomplete empty future blocks the calling thread until the future is completed (normally, exceptionally, or via cancellation).
When false, ColdFusion emulates the legacy (pre‑CompletableFuture) behavior:
  • get() on an incomplete empty future does not block and instead throws TaskNotCompletedException immediately, allowing applications that relied on the older “fail fast” behavior to continue working without change.
-Dcoldfusion.allow.restricted.exception.typesFalse
Controls whether ColdFusion allows system-reserved exception types to be used in user-thrown exceptions via cfthrow (tag) and throw() (cfscript).
By default, ColdFusion restricts the type attribute for user-thrown exceptions to custom/application types, and reserves certain types for the engine itself, such as:
  • Database
  • MissingInclude
  • Template
  • Object
  • Security
  • Expression
  • Lock
  • Cfthrow
When coldfusion.allow.restricted.exception.types=true:
  • These reserved exception types are allowed in user code.
  • Statements such as throw(type="Database", ...) or <cfthrow type="Security" ...> are accepted.
-Dcoldfusion.qoq.enforceOldBehaviour FalseA compatibility flag for Query of Queries GROUP BY processing. When enabled, ColdFusion uses legacy GROUP BY behavior to help preserve compatibility with older applications. When disabled, ColdFusion uses the newer default behavior associated with Query of Queries performance improvements.
-Dcoldfusion.qoq.parallelTrueA performance flag that enables or disables parallel processing for Query of Queries. Enabled by default, it allows ColdFusion to use parallelized internal execution for supported in-memory Query of Queries operations. Disabling the flag restores the older non-parallel behavior.
-Dcoldfusion.qoq.parallel.threshold10000A tuning flag that controls when Query of Queries parallelization is applied. The default value is 10000, meaning the parallel path is used only when the in-memory result set exceeds 10,000 rows.
-Dcoldfusion.mongodb.returnIdAsStringTrue
Controls how ColdFusion exposes MongoDB _id values. When set to true (the default), _id is returned as a plain string for backward compatibility, so CF string functions, cfdump, URLs, and session storage work naturally by applications across requests safely.
When false, _id is returned as a CFMongoObjectID wrapper, and hex strings in query filters are auto-converted to BSON ObjectId—this is required when working with external clients (Python, Node.js, mongosh) that insert native ObjectIds, since MongoDB is type-strict and queries with mismatched types silently return empty results.
JVM argumentDefaultDescription
-Dcoldfusion.administrator.inputlengthfilter.maxlengthIncreases the maximum size (in characters) allowed for input values processed by the ColdFusion Administrator and Admin API. By default, requests containing input fields larger than the configured limit are rejected with an input validation error. Setting this value to 65536 allows ColdFusion Administrator/API operations, such as importing or processing large SAML XML documents, to accept inputs up to 65,536 characters.
New in ColdFusion (2025 release) Update 5
JVM argument
Default
Description
-Dcoldfusion.websocket.selector.validation
True
Enables WebSocket selector security validation (default True). Set to false to disable deny list validation for selector expressions. It makes sure selector expressions does not have dangerous coldfusion commands in them. By default, selector expressions should use only logical operations.
-Dcoldfusion.deserialization.safeguard.enabled
True
Enables ColdFusion’s deserialization safeguard, which applies a default‑deny policy to Java deserialization: only classes required by ColdFusion and those explicitly allow‑listed in serialfilter.txt are permitted; all others are blocked and logged. Set this flag to false to temporarily revert to the previous behavior.
-Dcoldfusion.pdf.ddx.allowExternalEntities
False
Controls whether the XML parser used by the cfpdf tag with action="processddx"  is allowed to resolve external XML entities  defined in DDX (Document Description XML) files.
  • When false (default, recommended), ColdFusion blocks all external entity resolution when processing DDX.
  • When true:, ColdFusion allows external entities to be resolved during DDX parsing. This setting is intended only for legacy compatibility if you have existing DDX workflows that intentionally depend on external entities.
-Dcoldfusion.datasource.allowed.properties
None
By default, all connection strings are blocked. To allow a connection string in the datasource, use the flag. The values for the flag can be as follows:
  • allowLoadLocalInfile
  • allowUrlInLocalInfile
  • autoDeserialize
JVM argument
Default
Description
-Dcoldfusion.xml.allowExternalEntities
False
This flag controls whether external entities are allowed when parsing XML. By default, the flag is set to false to disable external entity resolution , preventing potential XML External Entity (XXE) vulnerabilities such as file disclosure or denial-of-service attacks. Setting this flag to false (the default) enhances security and prevents blind XXE attacks that could otherwise be exploited to read sensitive files from the file system. If your applications rely on parsing XML with external entities enabled (not recommended), you must explicitly set the flag to true, but this may introduce security risks.
JVM argument
Default
Description
-Dcoldfusion.runtime.remotemethod.matchArguments
True
The flag is set to true  by default, which enforces strict argument matching. If a remote method expects certain parameters, those arguments must be explicitly declared using the  cfargument  tag or defined directly in the function signature. For example, if a remote function is defined to accept two arguments, it must only receive those two. Passing more than the declared number (for example, 10) will result in an error. This change ensures stricter method integrity and a better debugging experience. This behavior change applies only to remote CFC methods.
-Dcoldfusion.systemprobe.allowexecution
False
By default, this flag is set to false for security reasons. The flag prevents the execution of a System Probe during a failure. To enable this functionality, set its value to true.
JVM argument
Default
Description
-Dcoldfusion.pdfg.connectionTimeout
The value is in milliseconds. This is the timeout value that will be set for PDF conversion. If a conversion takes longer than the mentioned value, it will be timed out, and an exception will be thrown.
New in ColdFusion (2025 release)
JVM argument
Default
Description
If true, the flag prevents ColdFusion from dynamically compiling CFML code into Java bytecode at runtime.
-Dcoldfusion.datasource.blocked.properties
None
The connection strings mentioned are allowed if a new database is added. To block their usage in the database, remove them from the property. The strings are:
  • allowLoadLocalInfile
  • allowUrlInLocalInfile
  • autoDeserialize
Note:
This flag WILL NOT work after Update 5 of ColdFusion 2025.
-Dcoldfusion.compiler.block.bytecode
True
If true, the flag prevents ColdFusion from executing pre-compiled CFML code (Java bytecode) at runtime.
Other flags in ColdFusion (2025 release)
JVM argument
Default
Description
-Dcoldfusion.encryption.useCFMX_COMPATAsDefault
True
This property is removed.
-Dcoldfusion.searchimplicitscopes
True
The flag allows you to enable or disable searching for an un-scoped variable in implicit scopes. The flag controls how ColdFusion searches for variables across implicit scopes, such as variables, arguments, form, URL, and others, when no explicit scope is defined in the code.
For proper security enforcement, the recommended value of this flag is false. When the flag is set to false, ColdFusion does not automatically search implicit scopes.
The flag was introduced to support customer transition and is scheduled for removal once these transition efforts reach maturity. While no specific timeline has been set for its removal, customers are advised to discontinue use of this flag.
-Dcfdocument.metahttpequivrefresh.localfile
True
Impacts how the <cfdocument> tag handles the meta refresh directive when generating PDFs from local files.
-Djdk.lang.Process.allowAmbiguousCommands
False
Related to how Java allows ambiguous command-line parsing on Windows.
-Dcoldfusion.sessioncookie.httponly
False
Determines if session cookies must be restricted from client-side JavaScript access.
-Dcoldfusion.xml.allowPathCharacters
True
Controls whether XML parsing allows file paths (such as slashes /, backslashes \, or colons :) in in element names, attributes, or values.
-Duser.timezone=<timezone>.
If you want UTC timezone, use -Duser.timezone=GMT
Sets the time zone of the ColdFusion host.
-Dfile.encoding
UTF-8
Sets the encoding of ColdFusion files, eg, .cfc or .cfm.
-Dcoldfusion.monitoring.id.reset
True
Controls whether monitoring ID used by ColdFusion’s Performance Monitoring Toolset (PMT) must be reset when the server starts.
-Dcoldfusion.number.allowdotsuffix
False
If set to false, an operand that has a trailing dot, is evaluated as a string.
-Djdk.tls.client.protocols
TLSv1.2,TLSv1.3
Specifies the TLS protocols that is used by TLS/SSL clients when establishing secure connections.
-Dhttps.protocols
TLSv1.2,TLSv1.3
Specifies the TLS protocols that is used by HTTPS connections in ColdFusion.
-Dcoldfusion.sftp.enable-ssh-rsa
False
Set the flag to True to enable the ssh-rsa algorithm.
-Dcoldfusion.sftp.fingerprint
SHA256
Set the flag to md5, for example, to enforce SFTP connections using the md5 algorithm.
-Dcoldfusion.application.orderby.caseinsensitive
True
Determines if string columns are being ordered by the Order By clause like traditional databases.
-Dcoldfusion.jdbc.mysql.datetime.str
True
If set to True, converts MySQL datetime objects to strings.
-Dcoldfusion.jdbc.mssql.multi_resultset.supported
True
Controls the resultset parsing behavior for ResultSets.
-Dorg.osgi.framework.bootdelegation
com.singularity.*
Enables scheduled tasks to run in a Docker image.
-Dcoldfusion.orderedstruct.size
32
Sets the size of ordered structs.
-Dcoldfusion.http.usepooling
True
Controls whether HTTP connections should be pooled and reused when making outbound HTTP requests from ColdFusion.

Share this page

Was this page helpful?
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Thank you for your feedback. Your response will help improve this page.

On this page