Uncontrolled Resource Consumption
CVE-2025-58369
Summary
fs2 is a compositional, streaming I/O library for Scala. Versions from 2.5.3 prior to 2.5.13, 3.0.0 prior to 3.12.1 and 3.13.x prior to 3.13.0-M7 are vulnerable to Denial-of-Service (DoS) attacks through TLS sessions using "fs2-io" on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down "write" while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- LOW
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published
