CVE-2025-58369 is a denial of service vulnerability categorized under CWE-400 (Uncontrolled Resource Consumption) affecting the typelevel fs2 library, a compositional streaming I/O library for Scala. The vulnerability impacts versions up to 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6. It specifically arises during TLS session establishment on the JVM when using the fs2.io.net.tls package. The issue occurs if one side of a TLS connection shuts down its write channel while the peer side is still awaiting data to progress the TLS handshake. This causes the peer to enter a spin loop on socket read operations, resulting in full CPU utilization on that thread until the connection is closed. This behavior can lead to denial of service by exhausting CPU resources, potentially shutting down servers relying on fs2-io for TLS communication. The vulnerability requires no authentication or user interaction and can be triggered remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact limited to availability. The issue is resolved in fs2 versions 2.5.13, 3.12.1, and 3.13.0-M7. No known exploits in the wild have been reported as of the publication date. This vulnerability highlights the risks of resource exhaustion attacks in asynchronous streaming libraries handling TLS handshakes.

For European organizations, this vulnerability poses a risk of denial of service on servers using vulnerable versions of the fs2 library for TLS streaming I/O on the JVM. Such denial of service could disrupt critical services, degrade performance, and cause downtime, impacting business continuity and user experience. Organizations in sectors like finance, telecommunications, and public services that rely on Scala-based JVM applications for secure streaming communications are particularly vulnerable. The CPU exhaustion caused by the spin loop can lead to increased operational costs and potential cascading failures if load balancing or failover mechanisms are insufficient. Although no data confidentiality or integrity impact is present, availability degradation can have significant operational consequences. Given the network-exploitable nature and no authentication requirement, attackers can remotely trigger this condition, increasing the threat surface. European entities with large Scala developer communities or those using typelevel fs2 in production should assess their exposure and prioritize patching to avoid service interruptions.

The primary mitigation is to upgrade the fs2 library to a fixed version: 2.5.13, 3.12.1, or 3.13.0-M7 or later. Organizations should audit their codebases and dependencies to identify usage of vulnerable fs2 versions, especially in JVM applications handling TLS streams. Implementing robust monitoring of CPU utilization and network socket states can help detect anomalous spin loops indicative of exploitation attempts. Network-level protections such as rate limiting or connection throttling on TLS endpoints may reduce the risk of resource exhaustion. Employing circuit breakers or timeout mechanisms in the application logic to detect stalled TLS handshakes can prevent indefinite CPU consumption. Additionally, conducting regular dependency updates and integrating vulnerability scanning into CI/CD pipelines will help prevent future exposure. For critical infrastructure, consider isolating vulnerable services behind load balancers or proxies that can absorb or mitigate denial of service attempts until patches are applied.