CVE-2025-58369: 
Java vulnerability analysis and mitigation

CVE-2025-58369 affects fs2, a compositional, streaming I/O library for Scala. The vulnerability was discovered and disclosed on September 5, 2025. It affects versions 3.12.2 and lower, as well as versions 3.13.0-M1 through 3.13.0-M6. The vulnerability specifically impacts the TLS session functionality in the fs2-io package when running on JVM using the fs2.io.net.tls package (NVD, GitHub Advisory).

The vulnerability occurs during TLS session establishment when one side of the connection shuts down 'write' while the peer side is awaiting more data to progress the TLS handshake. This causes the peer side to enter a spin loop on the socket read, resulting in full CPU utilization. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD, Miggo).

The vulnerability can be exploited as a denial of service attack against fs2-io powered servers. Attackers could open multiple connections and put them in a half-shutdown state, causing excessive CPU consumption. The CPU remains fully utilized until the overall connection is closed. This issue particularly impacts ember-backed http4s servers with HTTPS, as they utilize fs2's TLS support (GitHub Advisory).

The vulnerability has been fixed in fs2 versions 3.12.2 and 3.13.0-M7. Users are strongly advised to upgrade to these patched versions or later. No workarounds are available for this vulnerability, making upgrading the only viable solution (GitHub Advisory).