Denial of Service Vulnerability in fs2 Streaming I/O Library for Scala
CVE-2025-58369

5.3MEDIUM

Key Information:

Vendor: Typelevel
Status: Fs2
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-58369?

The fs2 library, utilized for compositional and streaming I/O in Scala applications, is susceptible to a denial of service attack during TLS session establishment. When one side of the connection terminates its write operations prematurely while the peer waits for further data to complete the TLS handshake, the peer may enter a spin loop on socket read operations. This continuous CPU usage can lead to severe performance degradation, potentially incapacitating servers reliant on the fs2-io framework. The issue has been resolved in fs2 versions 3.12.1 and 3.13.0-M7.

Affected Version(s)

fs2 < 3.12.2 < 3.12.2

fs2 >= 3.13.0-M1, < 3.13.0-M7 < 3.13.0-M1, 3.13.0-M7

References

https://github.com/typelevel/fs2/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/typelevel/fs2/issues/3590

x_refsource_MISC

https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Aug 29, 2025

Typelevel

What is CVE-2025-58369?

Affected Version(s)

References

CVSS V3.1

Timeline