Name of the Vulnerable Software and Affected Versions:

fs2 versions 3.12.2 and lower

fs2 versions 3.13.0-M1 through 3.13.0-M6

Description:

fs2, a compositional, streaming I/O library for Scala, is susceptible to denial of service attacks through TLS sessions when using `fs2-io` on the JVM with the `fs2.io.net.tls` package. During TLS handshake establishment, if one side closes the `write` stream while the peer is awaiting further data, the peer can enter a CPU spin loop on socket read, consuming CPU resources until the connection closes. This can potentially disrupt an `fs2-io` powered server.

Recommendations:

Upgrade to fs2 version 3.12.1 or later.

Upgrade to fs2 version 3.13.0-M7 or later.