Description

fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.

INFO

Published Date :

2025-09-05T21:59:58.981Z

Last Modified :

2025-11-07T11:52:43.148Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58369 vulnerability.

Vendors Products
Typelevel
  • Fs2
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58369.

URL Resource
https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976 cve-icon cve-icon
https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c cve-icon cve-icon
https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238 cve-icon cve-icon
https://github.com/typelevel/fs2/issues/3590 cve-icon cve-icon
https://github.com/typelevel/fs2/releases/tag/v3.12.2 cve-icon cve-icon
https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7 cve-icon cve-icon
https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact