CVE-2025-58369

fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.

Published: Sep 5, 2025
Updated: Nov 17, 2025
CVE: CVE-2025-58369
GHSA: GHSA-rrw2-px9j-qffj
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
co.fs2 / fs2-io_2.12	3.13.0-M1	3.13.0-M7
co.fs2 / fs2-io_2.13	3.13.0-M1	3.13.0-M7
co.fs2 / fs2-io_3	3.13.0-M1	3.13.0-M7
co.fs2 / fs2-io_0.26	-	-
co.fs2 / fs2-io_0.27	-	-
co.fs2 / fs2-io_2.11	-	-
co.fs2 / fs2-io_2.12.0-M4	-	-
co.fs2 / fs2-io_2.12.0-RC1	-	-
co.fs2 / fs2-io_2.12.0-M5	-	-
co.fs2 / fs2-io_2.12.0-RC2	-	-
co.fs2 / fs2-io_2.13.0-M5	-	-
co.fs2 / fs2-io_2.12	3.0.0-M1	3.12.2
co.fs2 / fs2-io_2.13	3.0.0-M1	3.12.2
co.fs2 / fs2-io_3	3.0.0-M1	3.12.2
co.fs2 / fs2-io_2.12	-	2.5.13
co.fs2 / fs2-io_2.13	-	2.5.13
co.fs2 / fs2-io_3	-	2.5.13

Vulnerability Database

308,485

CVE-2025-58369

Deep Security Visibility Without the Complexity