CVE-2025-58369: 
Java vulnerability analysis and mitigation

CVE-2025-58369 affects fs2, a compositional streaming I/O library for Scala, in versions 3.12.2 and lower and 3.13.0-M1 through 3.13.0-M6. The vulnerability allows denial of service attacks through TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. The issue was discovered and disclosed on September 5, 2025 (NVD).

When establishing a TLS session, if one side of the connection shuts down 'write' while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU consumption continues until the overall connection is closed. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue particularly impacts ember-backed http4s servers with HTTPS due to ember using fs2's TLS support (GitHub Advisory).

The vulnerability could be exploited as a denial of service attack on an fs2-io powered server. Attackers could open many connections and put them in a half-shutdown state, leading to high CPU utilization and potential server shutdown. This affects the availability of the service while not impacting confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in versions 3.12.1 and 3.13.0-M7. No workarounds are available, so users are strongly advised to upgrade to the patched versions. This is particularly important for users of TLS support on the JVM (GitHub Release).