ColdFusion versions 2023.18, 2025.6 and earlier contain an uncontrolled resource consumption flaw that can cause significant loss of application performance, effectively rendering the web application unavailable. The weakness, identified as CWE-400, allows an attacker to deplete system resources such as memory or CPU, leading to a denial of service for legitimate users. No privileged escalation is required beyond the high-privilege level needed to execute the vulnerability, and the attack does not depend on user interaction.

The affected products are Adobe ColdFusion, specifically versions 2023.18, 2025.6 and all versions older than those. Any installations running these versions are potentially vulnerable until an update or mitigation is applied.

The CVSS score of 2.4 indicates a low severity assessment, and the EPSS score is not available, suggesting limited evidence of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw can be triggered by a high-privileged attacker without user interaction, an internal threat actor could deploy it to disrupt services. Although the risk is low from a CVSS perspective, the impact on service availability can be substantial, especially for mission‑critical applications.