Resolving a Mutual TLS session resumption vulnerability

Cloudflare disclosed a vulnerability (CVE-2025-23419) in its mTLS session resumption handling that allowed a client authenticated to one Cloudflare zone to reuse a resumed TLS session to access another zone without revalidating the client certificate. The issue stemmed from incorrect use of BoringSSL session partitioning APIs; Cloudflare mitigated the problem within 32 hours by disabling TLS session resumption for mTLS, noting no evidence of active exploitation and providing guidance for additional logging and hardening.