CVE-2025-58369

Name of the Vulnerable Software and Affected Versions fs2 versions 3.12.2 and lower fs2 versions 3.13.0-M1 through 3.13.0-M6

Description fs2, a compositional, streaming I/O library for Scala, is susceptible to denial of service attacks through TLS sessions when using fs2-io on the JVM with the fs2.io.net.tls package. During TLS handshake establishment, if one side closes the write stream while the peer is awaiting further data, the peer can enter a CPU spin loop on socket read, consuming CPU resources until the connection closes. This can potentially disrupt an fs2-io powered server.

Recommendations Upgrade to fs2 version 3.12.1 or later. Upgrade to fs2 version 3.13.0-M7 or later.