Vulnerability DatabaseCVE-2025-58369
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-58369
September 05, 2025
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down "write" while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.
Affected Packages
https://github.com/typelevel/fs2.git (GITHUB):
Affected version(s) >=v0.1 <v3.12.2
Fix Suggestion:
Update to version v3.12.2
co.fs2:fs2-io_2.12 (JAVA):
Affected version(s) >=3.0.0-M1 <3.12.2
Fix Suggestion:
Update to version 3.12.2
co.fs2:fs2-io_2.12 (JAVA):
Affected version(s) >=0.9.2 <3.12.2
Fix Suggestion:
Update to version 3.12.2
co.fs2:fs2-io_3 (JAVA):
Affected version(s) >=2.5-2-d8fe229 <2.5.13
Fix Suggestion:
Update to version 2.5.13
co.fs2:fs2-io_2.13 (JAVA):
Affected version(s) >=3.13.0-M1 <3.13.0-M7
Fix Suggestion:
Update to version 3.13.0-M7
co.fs2:fs2-io_3 (JAVA):
Affected version(s) >=2.5-2-d8fe229 <3.12.2
Fix Suggestion:
Update to version 3.12.2
co.fs2:fs2-io_3 (JAVA):
Affected version(s) >=3.13.0-M1 <3.13.0-M7
Fix Suggestion:
Update to version 3.13.0-M7
co.fs2:fs2-io_2.12 (JAVA):
Affected version(s) >=0.9.2 <2.5.13
Fix Suggestion:
Update to version 2.5.13
co.fs2:fs2-io_2.13 (JAVA):
Affected version(s) >=3.0.0-M1 <3.12.2
Fix Suggestion:
Update to version 3.12.2
co.fs2:fs2-io_2.13 (JAVA):
Affected version(s) >=1.1.0-M1 <3.12.2
Fix Suggestion:
Update to version 3.12.2
co.fs2:fs2-io_2.12 (JAVA):
Affected version(s) >=3.13.0-M1 <3.13.0-M7
Fix Suggestion:
Update to version 3.13.0-M7
co.fs2:fs2-io_3 (JAVA):
Affected version(s) >=3.0-2-a745d70 <3.12.2
Fix Suggestion:
Update to version 3.12.2
co.fs2:fs2-io_2.13 (JAVA):
Affected version(s) >=1.1.0-M1 <2.5.13
Fix Suggestion:
Update to version 2.5.13
Related ResourcesĀ (10)
https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj
https://nvd.nist.gov/vuln/detail/CVE-2025-58369
https://github.com/typelevel/fs2/releases/tag/v3.12.2
https://github.com/typelevel/fs2
https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7
https://github.com/typelevel/fs2/issues/3590
https://github.com/typelevel/fs2/pull/3624
https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976
https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c
https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400
EPSS
Base Score:
0.13