Base Score

MEDIUM5.3

CVE-2025-58369

fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateSep 05, 2025, 22:15

Affected Versions(17)

co.fs2:fs2-io_2.12(Maven)

Introduced3.0.0-M1

Fixed3.12.2

LimitN/A

co.fs2:fs2-io_2.12(Maven)

Introduced3.13.0-M1

Fixed3.13.0-M7

LimitN/A

co.fs2:fs2-io_2.13(Maven)

Introduced3.0.0-M1

Fixed3.12.2

LimitN/A

co.fs2:fs2-io_2.13(Maven)

Introduced3.13.0-M1

Fixed3.13.0-M7

LimitN/A

co.fs2:fs2-io_3(Maven)

Introduced3.0.0-M1

Fixed3.12.2

LimitN/A

co.fs2:fs2-io_3(Maven)

Introduced3.13.0-M1

Fixed3.13.0-M7

LimitN/A

co.fs2:fs2-io_0.26(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_0.27(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.11(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.12.0-M4(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.12.0-RC1(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.12.0-M5(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.12.0-RC2(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.13.0-M5(Maven)

Introduced0

FixedN/A

LimitN/A

co.fs2:fs2-io_2.12(Maven)

Introduced0

Fixed2.5.13

LimitN/A

co.fs2:fs2-io_2.13(Maven)

Introduced0

Fixed2.5.13

LimitN/A

co.fs2:fs2-io_3(Maven)

Introduced0

Fixed2.5.13

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
co.fs2:fs2-io_2.12(Maven)	3.0.0-M1	3.12.2	N/A
co.fs2:fs2-io_2.12(Maven)	3.13.0-M1	3.13.0-M7	N/A
co.fs2:fs2-io_2.13(Maven)	3.0.0-M1	3.12.2	N/A
co.fs2:fs2-io_2.13(Maven)	3.13.0-M1	3.13.0-M7	N/A
co.fs2:fs2-io_3(Maven)	3.0.0-M1	3.12.2	N/A
co.fs2:fs2-io_3(Maven)	3.13.0-M1	3.13.0-M7	N/A
co.fs2:fs2-io_0.26(Maven)	0	N/A	N/A
co.fs2:fs2-io_0.27(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.11(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.12.0-M4(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.12.0-RC1(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.12.0-M5(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.12.0-RC2(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.13.0-M5(Maven)	0	N/A	N/A
co.fs2:fs2-io_2.12(Maven)	0	2.5.13	N/A
co.fs2:fs2-io_2.13(Maven)	0	2.5.13	N/A
co.fs2:fs2-io_3(Maven)	0	2.5.13	N/A

Weakness Type (CWE):CWE-400

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

LOW

References

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-400

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

LOW

CVE-2025-58369

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateSep 05, 2025, 22:15

Package (Ecosystem)

Introduced

Fixed

Limit

co.fs2:fs2-io_2.12(Maven)

3.0.0-M1

3.12.2

N/A

co.fs2:fs2-io_2.12(Maven)

3.13.0-M1

3.13.0-M7

N/A

co.fs2:fs2-io_2.13(Maven)

3.0.0-M1

3.12.2

N/A

co.fs2:fs2-io_2.13(Maven)

3.13.0-M1

3.13.0-M7

N/A

co.fs2:fs2-io_3(Maven)

3.0.0-M1

3.12.2

N/A

co.fs2:fs2-io_3(Maven)

3.13.0-M1

3.13.0-M7

N/A

co.fs2:fs2-io_0.26(Maven)

N/A

co.fs2:fs2-io_0.27(Maven)

N/A

co.fs2:fs2-io_2.11(Maven)

N/A

co.fs2:fs2-io_2.12.0-M4(Maven)

N/A

co.fs2:fs2-io_2.12.0-RC1(Maven)

N/A

co.fs2:fs2-io_2.12.0-M5(Maven)

N/A

co.fs2:fs2-io_2.12.0-RC2(Maven)

N/A

co.fs2:fs2-io_2.13.0-M5(Maven)

N/A

co.fs2:fs2-io_2.12(Maven)

2.5.13

N/A

co.fs2:fs2-io_2.13(Maven)

2.5.13

N/A

co.fs2:fs2-io_3(Maven)

2.5.13

N/A