CVE-2025-58369
- Source
- https://cve.org/CVERecord?id=CVE-2025-58369
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58369.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-58369
- Aliases
- Published
- 2025-09-05T21:59:58.981Z
- Modified
- 2026-04-10T05:31:26.193964Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- fs2: Half-shutdown of socket during TLS handshake may result in spin loop on opposite side
- Details
-
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down
writewhile the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7. - Database specific
{ "cwe_ids": [ "CWE-400" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58369.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/typelevel/fs2/releases/tag/v3.12.2
- https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58369.json
- https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj
- https://nvd.nist.gov/vuln/detail/CVE-2025-58369
- https://github.com/typelevel/fs2/issues/3590
- https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976
- https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c
- https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238
Affected packages
Git / github.com/typelevel/fs2
Affected ranges
Affected versions
Other
redesign-complex-interpreter
release/0.*
release/0.5
release/0.7
v0.*
v0.10.0
v0.10.0-M1
v0.10.0-M10
v0.10.0-M11
v0.10.0-M2
v0.10.0-M3
v0.10.0-M4
v0.10.0-M5
v0.10.0-M6
v0.10.0-M7
v0.10.0-M8
v0.10.0-M9
v0.10.0-RC1
v0.10.0-RC2
v0.10.1
v0.10.2
v0.9.0
v0.9.0-M1
v0.9.0-M2
v0.9.0-M3
v0.9.0-M4
v0.9.0-M5
v0.9.0-M6
v0.9.0-RC1
v0.9.0-RC2
v0.9.1
v1.*
v1.0.0
v1.0.0-M1
v1.0.0-M2
v1.0.0-M3
v1.0.0-M4
v1.0.0-M5
v1.0.0-RC1
v1.0.0-RC2
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0-M1
v1.1.0-M2
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.2.2
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.0-M1
v2.5.0-M2
v2.5.0-M3
v2.5.0-RC1
v2.5.1
v2.5.10
v2.5.11
v2.5.12
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v3.*
v3.0.0
v3.0.0-M1
v3.0.0-M2
v3.0.0-M3
v3.0.0-M4
v3.0.0-M5
v3.0.0-M6
v3.0.0-M7
v3.0.0-M8
v3.0.0-M9
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.1.0
v3.1.1
v3.1.2
v3.1.4
v3.1.5
v3.1.6
v3.10.0
v3.10.1
v3.10.2
v3.11.0
v3.12.0
v3.12.0-RC2
v3.12.1
v3.13.0-M1
v3.13.0-M2
v3.13.0-M3
v3.13.0-M4
v3.13.0-M5
v3.13.0-M6
v3.2.0
v3.2.1
v3.2.10
v3.2.12
v3.2.13
v3.2.14
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.6.1
v3.7.0
v3.7.0-RC2
v3.7.0-RC3
v3.7.0-RC4
v3.7.0-RC5
v3.8.0
v3.9.0
v3.9.1
v3.9.2
v3.9.3
v3.9.4