On January 23, 2025, Cloudflare was notified through its Bug Bounty Program of a vulnerability in Cloudflare’s Mutual TLS (mTLS) implementation.
The vulnerability affected clients who had been utilizing mTLS and concerned a flaw in our session resumption dealing with. Cloudflare’s investigation revealed no proof that the vulnerability was being actively exploited. And tracked as CVE-2025-23419, Cloudflare mitigated the vulnerability inside 32 hours after being notified. Prospects who had been utilizing Cloudflare’s API protect along side WAF custom rules that validated the issuer’s Topic Key Identifier (SKI) weren’t susceptible. Entry insurance policies equivalent to identification verification, IP handle restrictions, and machine posture assessments had been additionally not susceptible.
The bug bounty report detailed {that a} shopper with a legitimate mTLS certificates for one Cloudflare zone may use the identical certificates to renew a TLS session with one other Cloudflare zone utilizing mTLS, with out having to authenticate the certificates with the second zone.
Cloudflare clients can implement mTLS via Cloudflare API Shield with Customized Firewall Guidelines and the Cloudflare Zero Trust product suite. Cloudflare establishes the TLS session with the shopper and forwards the shopper certificates to Cloudflare’s Firewall or Zero Belief merchandise, the place buyer insurance policies are enforced.
mTLS operates by extending the usual TLS handshake to require authentication from each side of a connection – the shopper and the server. In a typical TLS session, a shopper connects to a server, which presents its TLS certificates. The shopper verifies the certificates, and upon profitable validation, an encrypted session is established. Nevertheless, with mTLS, the shopper additionally presents its personal TLS certificates, which the server verifies earlier than the connection is totally established. Provided that each certificates are validated does the session proceed, guaranteeing bidirectional belief.
mTLS is helpful for securing API communications, because it ensures that solely respectable and authenticated purchasers can work together with backend providers. In contrast to conventional authentication mechanisms that depend on credentials or tokens, mTLS requires possession of a legitimate certificates and its corresponding non-public key.
To enhance TLS connection efficiency, Cloudflare employs session resumption. Session resumption hastens the handshake course of, decreasing each latency and useful resource consumption. The core thought is that after a shopper and server have efficiently accomplished a TLS handshake, future handshakes needs to be streamlined — assuming that basic parameters such because the cipher suite or TLS model stay unchanged.
There are two main mechanisms for session resumption: session IDs and session tickets. With session IDs, the server shops the session context and associates it with a novel session ID. When a shopper reconnects and presents this session ID in its ClientHello message, the server checks its cache. If the session remains to be legitimate, the handshake is resumed utilizing the cached state.
Session tickets perform in a stateless method. As an alternative of storing session knowledge, the server encrypts the session context and sends it to the shopper as a session ticket. In future connections, the shopper consists of this ticket in its ClientHello, which the server can then decrypt to revive the session, eliminating the necessity for the server to keep up session state.
A resumed mTLS session leverages beforehand established belief, permitting purchasers to reconnect to a protected utility while not having to re-initiate an mTLS handshake.
The mTLS resumption vulnerability
In Cloudflare’s mTLS implementation, nonetheless, session resumption launched an unintended habits. BoringSSL, the TLS library that Cloudflare makes use of, will retailer the shopper certificates from the originating, full TLS handshake within the session. Upon resuming that session, the shopper certificates is just not revalidated towards the total chain of belief, and the unique handshake’s verification standing is revered. To keep away from this case, BoringSSL offers an API to partition session caches/tickets between totally different “contexts” outlined by the applying. Sadly, Cloudflare’s use of this API was not appropriate, which allowed TLS periods to be resumed after they shouldn’t have been.
To use this vulnerability, the safety researcher first arrange two zones on Cloudflare and configured them behind Cloudflare’s proxy with mTLS enabled. As soon as their domains had been configured, the researcher authenticated to the primary zone utilizing a legitimate shopper certificates, permitting Cloudflare to difficulty a TLS session ticket towards that zone.
The researcher then modified the TLS Server Identify Indication (SNI) and HTTP Host header from the primary zone (which that they had authenticated with) to focus on the second zone (which that they had not authenticated with). The researcher then introduced the session ticket when handshaking with the second Cloudflare-protected mTLS zone. This resulted in Cloudflare resuming the session with the second zone and reporting verification standing for the cached shopper certificates as profitable,bypassing the mTLS authentication that might usually be required to provoke a session.
For those who had been utilizing further validation strategies in your API Defend or Entry insurance policies – for instance, checking the issuers SKI, identification verification, IP handle restrictions, or machine posture assessments – these controls continued to perform as meant. Nevertheless, as a result of difficulty with TLS session resumption, the mTLS checks mistakenly returned a passing end result with out re-evaluating the total certificates chain.
Now we have disabled TLS session resumption for all clients which have mTLS enabled. Because of this, Cloudflare will not permit resuming periods that cache shopper certificates and their verification standing.
We’re exploring methods to carry again the efficiency enhancements from TLS session resumption for mTLS clients.
Prospects can additional harden their mTLS configuration and add enhanced logging to detect future points by utilizing Cloudflare’s Transform Rules, logging, and firewall options.
Whereas Cloudflare has mitigated the problem by disabling session resumption for mTLS connections, clients could need to implement further monitoring at their origin to implement stricter authentication insurance policies. All clients utilizing mTLS may also allow further request headers utilizing our Managed Transforms product. Enabling this function permits us to move further metadata to your origin with the small print of the shopper certificates that was used for the connection.
Enabling this function means that you can see the next headers the place mTLS is being utilized on a request.
{
"headers": {
"Cf-Cert-Issuer-Dn": "CN=Taskstar Root CA,OU=Taskstar, Inc.,L=London,ST=London,C=UK",
"Cf-Cert-Issuer-Dn-Legacy": "/C=UK/ST=London/L=London/OU=Taskstar, Inc./CN=Taskstar Root CA",
"Cf-Cert-Issuer-Dn-Rfc2253": "CN=Taskstar Root CA,OU=Taskstar, Inc.,L=London,ST=London,C=UK",
"Cf-Cert-Issuer-Serial": "7AB07CC0D10C38A1B554C728F230C7AF0FF12345",
"Cf-Cert-Issuer-Ski": "A5AC554235DBA6D963B9CDE0185CFAD6E3F55E8F",
"Cf-Cert-Not-After": "Jul 29 10:26:00 2025 GMT",
"Cf-Cert-Not-Earlier than": "Jul 29 10:26:00 2024 GMT",
"Cf-Cert-Introduced": "true",
"Cf-Cert-Revoked": "false",
"Cf-Cert-Serial": "0A62670673BFBB5C9CA8EB686FA578FA111111B1B",
"Cf-Cert-Sha1": "64baa4691c061cd7a43b24bccb25545bf28f1111",
"Cf-Cert-Sha256": "528a65ce428287e91077e4a79ed788015b598deedd53f17099c313e6dfbc87ea",
"Cf-Cert-Ski": "8249CDB4EE69BEF35B80DA3448CB074B993A12A3",
"Cf-Cert-Topic-Dn": "CN=MB,OU=Taskstar Admins,O=Taskstar,L=London,ST=Essex,C=UK",
"Cf-Cert-Topic-Dn-Legacy": "/C=UK/ST=Essex/L=London/O=Taskstar/OU=Taskstar Admins/CN=MB ",
"Cf-Cert-Topic-Dn-Rfc2253": "CN=MB,OU=Taskstar Admins,O=Taskstar,L=London,ST=London,C=UK",
"Cf-Cert-Verified": "true",
"Cf-Shopper-Cert-Sha256": "083129c545d7311cd5c7a26aabe3b0fc76818495595cea92efe111150fd2da2",
}
}
Enterprise clients may also use our Cloudflare Log merchandise so as to add these headers through the Logs Custom Fields function. For instance:
This may add the next info to Cloudflare Logs.
"RequestHeaders": {
"cf-cert-issuer-ski": "A5AC554235DBA6D963B9CDE0185CFAD6E3F55E8F",
"cf-cert-sha256": "528a65ce428287e91077e4a79ed788015b598deedd53f17099c313e6dfbc87ea"
},
Prospects already logging this info — both at their origin or through Cloudflare Logs — can retroactively verify for surprising certificates hashes or issuers that didn’t set off any safety coverage.
Customers are additionally in a position to make use of this info inside their WAF custom rules to conduct further checks. For instance, checking the Issuer’s SKI can present an additional layer of safety.
Prospects who enabled this additional check weren’t susceptible.
We sincerely thank the safety researcher who responsibly disclosed this difficulty through our HackerOne Bug Bounty Program, permitting us to establish and mitigate the vulnerability. We welcome additional submissions from our neighborhood of researchers to repeatedly enhance our merchandise’ safety.
Lastly, we need to apologize to our mTLS clients. Safety is on the core of every little thing we do at Cloudflare, and we deeply remorse any issues this difficulty could have brought on. Now we have taken rapid steps to resolve the vulnerability and have carried out further safeguards to stop comparable points sooner or later.
All timestamps are in UTC
-
2025-01-23 15:40 – Cloudflare is notified of a vulnerability in Mutual TLS and using session resumption.
-
2025-01-23 16:02 to 21:06 – Cloudflare validates Mutual TLS vulnerability and prepares a launch to disable session resumption for Mutual TLS.
-
2025-01-23 21:26 – Cloudflare begins rollout of remediation.
-
2025-01-24 20:15 – Rollout accomplished. Vulnerability is remediated.
Matt Bullock
