Cloudflare addressed a vulnerability in its Mutual TLS (mTLS) implementation that allowed session resumption bypassing certificate validation. This flaw, tracked as CVE-2025-23419, was mitigated within 32 hours of discovery. Although the vulnerability did not appear to be actively exploited, actions were taken to enhance security for customers using mTLS. Affected: Cloudflare, mTLS users
Keypoints :
- Cloudflare’s mTLS vulnerability was discovered via its Bug Bounty Program.
- The issue allowed resumption of TLS sessions without revalidating client certificates across different zones.
- Vulnerability was tracked as CVE-2025-23419 and addressed within 32 hours.
- Customers using Cloudflare API Shield and certain access policies were not vulnerable.
- Session resumption was disabled for all mTLS enabled customers as a mitigation measure.
- Enhanced logging and additional security measures are recommended for customers to protect against potential issues.
- Cloudflare thanked the researcher for responsibly disclosing the vulnerability.
MITRE Techniques :
- TLS: Encryption of traffic between client and server using Transport Layer Security to protect data confidentiality.
- Session Resumption (T1194): BoringSSL’s implementation did not revalidate client certificates on session resumption due to incorrect use of partitioning API, allowing potential bypass of security.
Indicator of Compromise :
- [Certificate DN] CN=Taskstar Root CA,OU=Taskstar, Inc.,L=London,ST=London,C=UK
- [Certificate Serial] 7AB07CC0D10C38A1B554C728F230C7AF0FF12345
- [Certificate SHA256] 528a65ce428287e91077e4a79ed788015b598deedd53f17099c313e6dfbc87ea
- [Certificate SHA1] 64baa4691c061cd7a43b24bccb25545bf28f1111
- [Certificate Ski] A5AC554235DBA6D963B9CDE0185CFAD6E3F55E8F
Full Story: https://blog.cloudflare.com/resolving-a-mutual-tls-session-resumption-vulnerability/