CVE-2025-58369
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-11-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typelevel | fs2 | 3.13.0-M6 |
| typelevel | fs2 | 3.0.0-M1 |
| typelevel | fs2 | 3.12.2 |
| typelevel | fs2 | 3.12.1 |
| typelevel | fs2 | 3.13.0-M1 |
| typelevel | fs2 | 3.13.0-M7 |
| typelevel | fs2 | 2.5.12 |
| typelevel | fs2 | 2.5.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the fs2 streaming I/O library for Scala, specifically versions 3.12.2 and lower and 3.13.0-M1 through 3.13.0-M6. It occurs during TLS session establishment using the fs2.io.net.tls package on the JVM. If one side of the connection shuts down its write stream while the other side is waiting for more data to continue the TLS handshake, the waiting side enters a spin loop on the socket read, causing full CPU utilization until the connection is closed. This can lead to denial of service.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by making the CPU fully utilized on the affected server or application using fs2-io during TLS handshakes. This high CPU usage can potentially shut down a server powered by fs2-io, disrupting service availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade fs2 to version 3.12.1 or later, or to 3.13.0-M7 or later, as these versions contain the fix for this denial of service vulnerability.