The Cloudflare Mutual TLS (mTLS) implementation was found to have a vulnerability in its session resumption handling, which allowed attackers to bypass mTLS authentication and access protected resources. The vulnerability was reported via Cloudflare's Bug Bounty Program and was tracked as CVE-2025-23419. Cloudflare mitigated the issue within 32 hours after being notified by disabling TLS session resumption for all customers using mTLS. Customers can implement mTLS through Cloudflare API Shield with Custom Firewall Rules and the Cloudflare Zero Trust product suite, which establishes a secure connection between the client and server. The vulnerability was caused by an incorrect use of BoringSSL's session cache partitioning API, which allowed attackers to reuse cached client certificates without re-validating them against the full certificate chain. To mitigate this issue, Cloudflare has added additional logging headers to its logs, allowing customers to detect future issues and enforce stricter authentication policies.