CVE-2025-58369
Description
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
co.fs2:fs2-io_2.12Maven | >= 3.0.0-M1, < 3.12.2 | 3.12.2 |
co.fs2:fs2-io_2.12Maven | >= 3.13.0-M1, < 3.13.0-M7 | 3.13.0-M7 |
co.fs2:fs2-io_2.13Maven | >= 3.0.0-M1, < 3.12.2 | 3.12.2 |
co.fs2:fs2-io_2.13Maven | >= 3.13.0-M1, < 3.13.0-M7 | 3.13.0-M7 |
co.fs2:fs2-io_3Maven | >= 3.0.0-M1, < 3.12.2 | 3.12.2 |
co.fs2:fs2-io_3Maven | >= 3.13.0-M1, < 3.13.0-M7 | 3.13.0-M7 |
co.fs2:fs2-io_0.26Maven | >= 0 | — |
co.fs2:fs2-io_0.27Maven | >= 0 | — |
co.fs2:fs2-io_2.11Maven | >= 0 | — |
co.fs2:fs2-io_2.12.0-M4Maven | >= 0 | — |
co.fs2:fs2-io_2.12.0-RC1Maven | >= 0 | — |
co.fs2:fs2-io_2.12.0-M5Maven | >= 0 | — |
co.fs2:fs2-io_2.12.0-RC2Maven | >= 0 | — |
co.fs2:fs2-io_2.13.0-M5Maven | >= 0 | — |
co.fs2:fs2-io_2.12Maven | < 2.5.13 | 2.5.13 |
co.fs2:fs2-io_2.13Maven | < 2.5.13 | 2.5.13 |
co.fs2:fs2-io_3Maven | < 2.5.13 | 2.5.13 |
Affected products
12- ghsa-coords11 versionspkg:maven/co.fs2/fs2-io_0.26pkg:maven/co.fs2/fs2-io_0.27pkg:maven/co.fs2/fs2-io_2.11pkg:maven/co.fs2/fs2-io_2.12pkg:maven/co.fs2/fs2-io_2.12.0-M4pkg:maven/co.fs2/fs2-io_2.12.0-M5pkg:maven/co.fs2/fs2-io_2.12.0-RC1pkg:maven/co.fs2/fs2-io_2.12.0-RC2pkg:maven/co.fs2/fs2-io_2.13pkg:maven/co.fs2/fs2-io_2.13.0-M5pkg:maven/co.fs2/fs2-io_3
>= 0+ 10 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 3.0.0-M1, < 3.12.2
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 3.0.0-M1, < 3.12.2
- (no CPE)range: >= 0
- (no CPE)range: >= 3.0.0-M1, < 3.12.2
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-rrw2-px9j-qffjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58369ghsaADVISORY
- github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976nvdWEB
- github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885cnvdWEB
- github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238nvdWEB
- github.com/typelevel/fs2/issues/3590nvdWEB
- github.com/typelevel/fs2/pull/3624ghsaWEB
- github.com/typelevel/fs2/releases/tag/v3.12.2nvdWEB
- github.com/typelevel/fs2/releases/tag/v3.13.0-M7nvdWEB
- github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffjnvdWEB
News mentions
0No linked articles in our index yet.