cvelistv5 - cve-2025-58369

CVE-2025-58369 (GCVE-0-2025-58369)

Vulnerability from cvelistv5

Published

2025-09-05 21:59

Modified

2025-11-07 11:52

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Summary

fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.

References

URL

Tags

	security-advisories@github.com	https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976
	security-advisories@github.com	https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c
	security-advisories@github.com	https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238
	security-advisories@github.com	https://github.com/typelevel/fs2/issues/3590
	security-advisories@github.com	https://github.com/typelevel/fs2/releases/tag/v3.12.2
	security-advisories@github.com	https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7
	security-advisories@github.com	https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj

Impacted products

	Vendor	Product	Version
	typelevel	fs2	Version: >= 3.0.0-M1, < 3.12.2 Version: >= 3.13.0-M1, < 3.13.0-M7 Version: < 2.5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58369",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-08T20:09:25.588603Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-08T20:09:32.825Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fs2",
          "vendor": "typelevel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-M1, \u003c 3.12.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.13.0-M1, \u003c 3.13.0-M7"
            },
            {
              "status": "affected",
              "version": "\u003c 2.5.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions  2.5.13, 3.12.1, and 3.13.0-M7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T11:52:43.148Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj"
        },
        {
          "name": "https://github.com/typelevel/fs2/issues/3590",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/issues/3590"
        },
        {
          "name": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976"
        },
        {
          "name": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c"
        },
        {
          "name": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238"
        },
        {
          "name": "https://github.com/typelevel/fs2/releases/tag/v3.12.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/releases/tag/v3.12.2"
        },
        {
          "name": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7"
        }
      ],
      "source": {
        "advisory": "GHSA-rrw2-px9j-qffj",
        "discovery": "UNKNOWN"
      },
      "title": "fs2: Half-shutdown of socket during TLS handshake may result in spin loop on opposite side"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58369",
    "datePublished": "2025-09-05T21:59:58.981Z",
    "dateReserved": "2025-08-29T16:19:59.012Z",
    "dateUpdated": "2025-11-07T11:52:43.148Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58369\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-05T22:15:34.883\",\"lastModified\":\"2025-11-07T12:15:34.797\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions  2.5.13, 3.12.1, and 3.13.0-M7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"references\":[{\"url\":\"https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/typelevel/fs2/issues/3590\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/typelevel/fs2/releases/tag/v3.12.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58369\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-08T20:09:25.588603Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-08T20:09:29.795Z\"}}], \"cna\": {\"title\": \"fs2: Half-shutdown of socket during TLS handshake may result in spin loop on opposite side\", \"source\": {\"advisory\": \"GHSA-rrw2-px9j-qffj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"typelevel\", \"product\": \"fs2\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-M1, \u003c 3.12.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.13.0-M1, \u003c 3.13.0-M7\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.5.13\"}]}], \"references\": [{\"url\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj\", \"name\": \"https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/typelevel/fs2/issues/3590\", \"name\": \"https://github.com/typelevel/fs2/issues/3590\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976\", \"name\": \"https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c\", \"name\": \"https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238\", \"name\": \"https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/typelevel/fs2/releases/tag/v3.12.2\", \"name\": \"https://github.com/typelevel/fs2/releases/tag/v3.12.2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7\", \"name\": \"https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions  2.5.13, 3.12.1, and 3.13.0-M7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-07T11:52:43.148Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58369\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-07T11:52:43.148Z\", \"dateReserved\": \"2025-08-29T16:19:59.012Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-05T21:59:58.981Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

ghsa-rrw2-px9j-qffj

Vulnerability from github

Published

2025-09-05 20:58

Modified

2025-11-07 12:29

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

Details

Impact

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed.

This could be used as a denial of service attack on an fs2-io powered server -- for example, by opening many connections and putting them in a half-shutdown state.

Note: this issue impacts ember backed http4s servers with HTTPS as a result of ember using fs2's TLS support.

Patches

Fixed in fs2 3.12.2 and 3.13.0-M7.

Workarounds

No workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue. Contact the Typelevel Security Team.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0-M1"
            },
            {
              "fixed": "3.13.0-M7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0-M1"
            },
            {
              "fixed": "3.13.0-M7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0-M1"
            },
            {
              "fixed": "3.13.0-M7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_0.26"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_0.27"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-M4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-RC1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-05T20:58:23Z",
    "nvd_published_at": "2025-09-05T22:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen establishing a TLS session using `fs2-io` on the JVM using the `fs2.io.net.tls` package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed.\n\nThis could be used as a denial of service attack on an fs2-io powered server -- for example, by opening many connections and putting them in a half-shutdown state.\n\nNote: this issue impacts ember backed http4s servers with HTTPS as a result of ember using fs2\u0027s TLS support.\n\n### Patches\nFixed in fs2 3.12.2 and 3.13.0-M7.\n\n### Workarounds\nNo workarounds.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n[Open an issue.](https://github.com/typelevel/fs2/issues/new/choose)\nContact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).",
  "id": "GHSA-rrw2-px9j-qffj",
  "modified": "2025-11-07T12:29:27Z",
  "published": "2025-09-05T20:58:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/issues/3590"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/pull/3624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/typelevel/fs2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/releases/tag/v3.12.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side"
}

CERTFR-2025-AVI-1051

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Sterling File Gateway	Sterling File Gateway versions antérieures à 6.2.1.1_1
IBM	Db2	Db2 versions V11.5.x sans le correctif APAR DT433150
IBM	Spectrum	Spectrum Control versions antérieures à 5.4.13.2
IBM	Db2	Db2 versions V11.1.x sans le correctif APAR DT433150
IBM	Db2	Db2 versions V12.1.3 sans le correctif APAR DT433150
IBM	Security QRadar EDR	Security QRadar EDR versions antérieures à 3.12.21
IBM	WebSphere Service Registry and Repository	WebSphere Service Registry and Repository versions 8.5 sans les derniers correctifs de sécurité
IBM	Sterling B2B Integrator	Sterling B2B Integrator versions antérieures à 6.2.1.1_1
IBM	QRadar Deployment Intelligence App	QRadar Deployment Intelligence App versions antérieures à 3.0.19
IBM	Informix Dynamic Server	Informix Dynamic Server versions 14.10 antérieures à 14.10.xC11W1

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7252704	2025-11-26	vendor-advisory
Bulletin de sécurité IBM 7252903	2025-11-27	vendor-advisory
Bulletin de sécurité IBM 7252597	2025-11-28	vendor-advisory
Bulletin de sécurité IBM 7252211	2025-11-21	vendor-advisory
Bulletin de sécurité IBM 7252908	2025-11-27	vendor-advisory
Bulletin de sécurité IBM 7250474	2025-11-26	vendor-advisory
Bulletin de sécurité IBM 7252718	2025-11-26	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Sterling File Gateway versions ant\u00e9rieures \u00e0 6.2.1.1_1",
      "product": {
        "name": "Sterling File Gateway",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 versions V11.5.x sans le correctif APAR DT433150",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Spectrum Control versions ant\u00e9rieures \u00e0 5.4.13.2",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 versions V11.1.x sans le correctif APAR DT433150",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 versions V12.1.3 sans le correctif APAR DT433150",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Security QRadar EDR versions ant\u00e9rieures \u00e0 3.12.21",
      "product": {
        "name": "Security QRadar EDR",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Service Registry and Repository versions 8.5 sans les derniers correctifs de s\u00e9curit\u00e9",
      "product": {
        "name": "WebSphere Service Registry and Repository",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling B2B Integrator versions ant\u00e9rieures \u00e0 6.2.1.1_1",
      "product": {
        "name": "Sterling B2B Integrator",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Deployment Intelligence App versions ant\u00e9rieures \u00e0 3.0.19",
      "product": {
        "name": "QRadar Deployment Intelligence App",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Informix Dynamic Server versions 14.10 ant\u00e9rieures \u00e0 14.10.xC11W1",
      "product": {
        "name": "Informix Dynamic Server",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2023-1370",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
    },
    {
      "name": "CVE-2025-58369",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58369"
    },
    {
      "name": "CVE-2025-47279",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47279"
    },
    {
      "name": "CVE-2025-7962",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7962"
    },
    {
      "name": "CVE-2025-58057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
    },
    {
      "name": "CVE-2025-36097",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-36097"
    },
    {
      "name": "CVE-2018-25031",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-25031"
    },
    {
      "name": "CVE-2025-7783",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
    },
    {
      "name": "CVE-2025-48976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
    },
    {
      "name": "CVE-2023-32732",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32732"
    },
    {
      "name": "CVE-2025-54121",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-54121"
    },
    {
      "name": "CVE-2024-45675",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45675"
    },
    {
      "name": "CVE-2025-59822",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-59822"
    },
    {
      "name": "CVE-2024-56339",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56339"
    },
    {
      "name": "CVE-2025-23184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
    },
    {
      "name": "CVE-2023-32731",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
    },
    {
      "name": "CVE-2025-7339",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-7339"
    },
    {
      "name": "CVE-2025-48924",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
    },
    {
      "name": "CVE-2025-58754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-58754"
    },
    {
      "name": "CVE-2024-57699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
    }
  ],
  "initial_release_date": "2025-11-28T00:00:00",
  "last_revision_date": "2025-11-28T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1051",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-11-28T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-11-26",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252704",
      "url": "https://www.ibm.com/support/pages/node/7252704"
    },
    {
      "published_at": "2025-11-27",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252903",
      "url": "https://www.ibm.com/support/pages/node/7252903"
    },
    {
      "published_at": "2025-11-28",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252597",
      "url": "https://www.ibm.com/support/pages/node/7252597"
    },
    {
      "published_at": "2025-11-21",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252211",
      "url": "https://www.ibm.com/support/pages/node/7252211"
    },
    {
      "published_at": "2025-11-27",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252908",
      "url": "https://www.ibm.com/support/pages/node/7252908"
    },
    {
      "published_at": "2025-11-26",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7250474",
      "url": "https://www.ibm.com/support/pages/node/7250474"
    },
    {
      "published_at": "2025-11-26",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7252718",
      "url": "https://www.ibm.com/support/pages/node/7252718"
    }
  ]
}

fkie_cve-2025-58369

Vulnerability from fkie_nvd

Published

2025-09-05 22:15

Modified

2025-11-07 12:15

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976
	security-advisories@github.com	https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c
	security-advisories@github.com	https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238
	security-advisories@github.com	https://github.com/typelevel/fs2/issues/3590
	security-advisories@github.com	https://github.com/typelevel/fs2/releases/tag/v3.12.2
	security-advisories@github.com	https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7
	security-advisories@github.com	https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions  2.5.13, 3.12.1, and 3.13.0-M7."
    }
  ],
  "id": "CVE-2025-58369",
  "lastModified": "2025-11-07T12:15:34.797",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-05T22:15:34.883",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/issues/3590"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/releases/tag/v3.12.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-58369 (GCVE-0-2025-58369)

Vulnerability from cvelistv5

ghsa-rrw2-px9j-qffj

Vulnerability from github

Impact

Patches

Workarounds

For more information

CERTFR-2025-AVI-1051

Vulnerability from certfr_avis

Solutions

fkie_cve-2025-58369

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature