CVE-2025-58369
📋 TL;DR
This CVE describes a denial-of-service vulnerability in fs2, a Scala streaming I/O library, where TLS sessions can be exploited to cause CPU spin loops. Attackers can trigger this by shutting down write operations during TLS handshakes, potentially crashing fs2-io powered servers. Users of fs2 versions up to 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 on JVM platforms are affected.
💻 Affected Systems
- fs2 (functional streams for Scala)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server shutdown due to CPU exhaustion, causing service unavailability for all users.
Likely Case
Degraded server performance and potential service disruption for some users during attack.
If Mitigated
Minimal impact with proper monitoring and quick response to anomalous CPU spikes.
🎯 Exploit Status
Exploitation requires precise timing during TLS handshake but no authentication. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: fs2 2.5.13, 3.12.1, and 3.13.0-M7
Vendor Advisory: https://github.com/typelevel/fs2/releases/tag/v3.12.2
Restart Required: Yes
Instructions:
1. Update fs2 dependency in build.sbt or equivalent build file to patched version. 2. Rebuild and redeploy application. 3. Restart affected services.
🔧 Temporary Workarounds
Disable TLS or use alternative TLS implementation
allTemporarily disable TLS connections or switch to alternative TLS libraries until patching is possible.
🧯 If You Can't Patch
- Implement rate limiting on TLS connections to reduce attack surface
- Monitor CPU usage and set up alerts for abnormal spikes during TLS handshakes
🔍 How to Verify
Check if Vulnerable:
Check fs2 version in build dependencies. If using sbt: 'sbt dependencyTree | grep fs2' or check build.sbt/pom.xml for fs2 version.Check Version:
sbt 'show libraryDependencies' | grep fs2Verify Fix Applied:
Verify updated fs2 version in dependencies matches patched versions (2.5.13, 3.12.1, or 3.13.0-M7).📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage during TLS handshakes
- Multiple TLS connection failures with timing patterns
Network Indicators:
- Abnormal TLS handshake patterns with premature write shutdowns
SIEM Query:
source="application_logs" AND ("TLS handshake" OR "fs2.io.net.tls") AND (cpu_usage > 90)🔗 References
- https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976
- https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c
- https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238
- https://github.com/typelevel/fs2/issues/3590
- https://github.com/typelevel/fs2/releases/tag/v3.12.2
- https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7
- https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj
