VYPR
Medium severity5.3OSV Advisory· Published Sep 5, 2025· Updated Apr 15, 2026

CVE-2025-58369

CVE-2025-58369

Description

fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
co.fs2:fs2-io_2.12Maven
>= 3.0.0-M1, < 3.12.23.12.2
co.fs2:fs2-io_2.12Maven
>= 3.13.0-M1, < 3.13.0-M73.13.0-M7
co.fs2:fs2-io_2.13Maven
>= 3.0.0-M1, < 3.12.23.12.2
co.fs2:fs2-io_2.13Maven
>= 3.13.0-M1, < 3.13.0-M73.13.0-M7
co.fs2:fs2-io_3Maven
>= 3.0.0-M1, < 3.12.23.12.2
co.fs2:fs2-io_3Maven
>= 3.13.0-M1, < 3.13.0-M73.13.0-M7
co.fs2:fs2-io_0.26Maven
>= 0
co.fs2:fs2-io_0.27Maven
>= 0
co.fs2:fs2-io_2.11Maven
>= 0
co.fs2:fs2-io_2.12.0-M4Maven
>= 0
co.fs2:fs2-io_2.12.0-RC1Maven
>= 0
co.fs2:fs2-io_2.12.0-M5Maven
>= 0
co.fs2:fs2-io_2.12.0-RC2Maven
>= 0
co.fs2:fs2-io_2.13.0-M5Maven
>= 0
co.fs2:fs2-io_2.12Maven
< 2.5.132.5.13
co.fs2:fs2-io_2.13Maven
< 2.5.132.5.13
co.fs2:fs2-io_3Maven
< 2.5.132.5.13

Affected products

12

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.