CVE-2025-58369
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2025-11-07

Assigner: GitHub, Inc.

Description
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2025-11-07
Generated
2026-06-16
AI Q&A
2025-09-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58369
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
typelevel fs2 3.13.0-M6
typelevel fs2 3.0.0-M1
typelevel fs2 3.12.2
typelevel fs2 3.12.1
typelevel fs2 3.13.0-M1
typelevel fs2 3.13.0-M7
typelevel fs2 2.5.12
typelevel fs2 2.5.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the fs2 streaming I/O library for Scala, specifically versions 3.12.2 and lower and 3.13.0-M1 through 3.13.0-M6. It occurs during TLS session establishment using the fs2.io.net.tls package on the JVM. If one side of the connection shuts down its write stream while the other side is waiting for more data to continue the TLS handshake, the waiting side enters a spin loop on the socket read, causing full CPU utilization until the connection is closed. This can lead to denial of service.

Impact Analysis

The vulnerability can cause a denial of service by making the CPU fully utilized on the affected server or application using fs2-io during TLS handshakes. This high CPU usage can potentially shut down a server powered by fs2-io, disrupting service availability.

Mitigation Strategies

Upgrade fs2 to version 3.12.1 or later, or to 3.13.0-M7 or later, as these versions contain the fix for this denial of service vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart