CVE-2025-58369 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the fs2 library, a compositional streaming I/O library for Scala. The vulnerability exists in versions 3.12.2 and lower, as well as versions 3.13.0-M1 through 3.13.0-M6. It specifically impacts the TLS session establishment process when using the fs2-io module on the JVM, particularly the fs2.io.net.tls package. The issue arises when one side of a TLS connection shuts down its write channel while the peer side is still awaiting additional data to complete the TLS handshake. This causes the peer side to enter a spin loop on the socket read operation, leading to full CPU utilization. The CPU consumption continues until the connection is fully closed, which can result in a denial of service (DoS) condition by exhausting server resources. This vulnerability does not impact confidentiality or integrity but affects availability by potentially shutting down servers relying on fs2-io for TLS communication. The vulnerability requires no authentication or user interaction and can be triggered remotely by an attacker capable of initiating TLS connections. The issue has been addressed in fs2 versions 3.12.1 and 3.13.0-M7, so upgrading to these or later versions mitigates the risk. There are no known exploits in the wild at this time, and the CVSS v3.1 base score is 5.3, reflecting a medium severity due to its impact on availability and ease of exploitation over the network without privileges.

For European organizations, the primary impact of this vulnerability is the risk of denial of service attacks against services using the fs2 library for TLS communication on the JVM. Organizations running Scala-based applications that utilize fs2-io for streaming and network I/O could experience server outages or degraded performance due to CPU exhaustion caused by maliciously crafted TLS handshake attempts. This could disrupt critical business services, especially those relying on real-time data streaming or secure communications. The vulnerability does not expose sensitive data or allow unauthorized access, but the availability impact could affect sectors such as finance, telecommunications, and cloud service providers where fs2 is integrated. Additionally, organizations with automated scaling or resource monitoring might see increased operational costs or false alarms triggered by abnormal CPU usage. Since the vulnerability can be exploited remotely without authentication, it poses a risk even to externally facing services. However, the absence of known exploits and the availability of patches reduce the immediate threat level if organizations apply updates promptly.

European organizations should prioritize upgrading the fs2 library to version 3.12.1 or later, or 3.13.0-M7 or later, to eliminate this vulnerability. In addition to patching, organizations should implement network-level protections such as rate limiting and connection throttling on TLS endpoints to reduce the risk of resource exhaustion from repeated handshake attempts. Monitoring CPU usage and socket states on servers running fs2-io can help detect anomalous behavior indicative of exploitation attempts. Employing application-layer firewalls or intrusion prevention systems that can identify and block suspicious TLS handshake patterns may further mitigate risk. For critical infrastructure, consider deploying redundancy and failover mechanisms to maintain service availability during potential DoS attacks. Finally, reviewing and hardening JVM and TLS configuration parameters to limit resource consumption during handshake failures can provide additional resilience.