Search criteria
5 vulnerabilities found for fs2 by typelevel
CVE-2025-58369 (GCVE-0-2025-58369)
Vulnerability from cvelistv5 – Published: 2025-09-05 21:59 – Updated: 2025-11-07 11:52
VLAI?
Summary
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.
Severity ?
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T20:09:25.588603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T20:09:32.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fs2",
"vendor": "typelevel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-M1, \u003c 3.12.2"
},
{
"status": "affected",
"version": "\u003e= 3.13.0-M1, \u003c 3.13.0-M7"
},
{
"status": "affected",
"version": "\u003c 2.5.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T11:52:43.148Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj"
},
{
"name": "https://github.com/typelevel/fs2/issues/3590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/issues/3590"
},
{
"name": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976"
},
{
"name": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c"
},
{
"name": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238"
},
{
"name": "https://github.com/typelevel/fs2/releases/tag/v3.12.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/releases/tag/v3.12.2"
},
{
"name": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7"
}
],
"source": {
"advisory": "GHSA-rrw2-px9j-qffj",
"discovery": "UNKNOWN"
},
"title": "fs2: Half-shutdown of socket during TLS handshake may result in spin loop on opposite side"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58369",
"datePublished": "2025-09-05T21:59:58.981Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-11-07T11:52:43.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31183 (GCVE-0-2022-31183)
Vulnerability from cvelistv5 – Published: 2022-08-01 19:50 – Updated: 2025-04-22 17:45
VLAI?
Summary
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
Severity ?
9.1 (Critical)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.653Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:37:11.291758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:45:55.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fs2",
"vendor": "typelevel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.2.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T19:50:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
}
],
"source": {
"advisory": "GHSA-2cpx-6pqp-wf35",
"discovery": "UNKNOWN"
},
"title": "mTLS client verification is skipped in fs2 on Node.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31183",
"STATE": "PUBLIC",
"TITLE": "mTLS client verification is skipped in fs2 on Node.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fs2",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.1.0, \u003c 3.2.11"
}
]
}
}
]
},
"vendor_name": "typelevel"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35",
"refsource": "CONFIRM",
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"name": "https://github.com/nodejs/node/issues/43994",
"refsource": "MISC",
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"name": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207",
"refsource": "MISC",
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
}
]
},
"source": {
"advisory": "GHSA-2cpx-6pqp-wf35",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31183",
"datePublished": "2022-08-01T19:50:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:45:55.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58369 (GCVE-0-2025-58369)
Vulnerability from nvd – Published: 2025-09-05 21:59 – Updated: 2025-11-07 11:52
VLAI?
Summary
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7.
Severity ?
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T20:09:25.588603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T20:09:32.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fs2",
"vendor": "typelevel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-M1, \u003c 3.12.2"
},
{
"status": "affected",
"version": "\u003e= 3.13.0-M1, \u003c 3.13.0-M7"
},
{
"status": "affected",
"version": "\u003c 2.5.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM using the fs2.io.net.tls package. When establishing a TLS session, if one side of the connection shuts down `write` while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. The CPU is consumed until the overall connection is closed, potentially shutting down a fs2-io powered server. This issue is fixed in versions 2.5.13, 3.12.1, and 3.13.0-M7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T11:52:43.148Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj"
},
{
"name": "https://github.com/typelevel/fs2/issues/3590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/issues/3590"
},
{
"name": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976"
},
{
"name": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c"
},
{
"name": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238"
},
{
"name": "https://github.com/typelevel/fs2/releases/tag/v3.12.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/releases/tag/v3.12.2"
},
{
"name": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7"
}
],
"source": {
"advisory": "GHSA-rrw2-px9j-qffj",
"discovery": "UNKNOWN"
},
"title": "fs2: Half-shutdown of socket during TLS handshake may result in spin loop on opposite side"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58369",
"datePublished": "2025-09-05T21:59:58.981Z",
"dateReserved": "2025-08-29T16:19:59.012Z",
"dateUpdated": "2025-11-07T11:52:43.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-31183 (GCVE-0-2022-31183)
Vulnerability from nvd – Published: 2022-08-01 19:50 – Updated: 2025-04-22 17:45
VLAI?
Summary
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
Severity ?
9.1 (Critical)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.653Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31183",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:37:11.291758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:45:55.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fs2",
"vendor": "typelevel",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.2.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T19:50:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
}
],
"source": {
"advisory": "GHSA-2cpx-6pqp-wf35",
"discovery": "UNKNOWN"
},
"title": "mTLS client verification is skipped in fs2 on Node.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31183",
"STATE": "PUBLIC",
"TITLE": "mTLS client verification is skipped in fs2 on Node.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fs2",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.1.0, \u003c 3.2.11"
}
]
}
}
]
},
"vendor_name": "typelevel"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35",
"refsource": "CONFIRM",
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"name": "https://github.com/nodejs/node/issues/43994",
"refsource": "MISC",
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"name": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207",
"refsource": "MISC",
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
}
]
},
"source": {
"advisory": "GHSA-2cpx-6pqp-wf35",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31183",
"datePublished": "2022-08-01T19:50:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:45:55.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2022-31183
Vulnerability from fkie_nvd - Published: 2022-08-01 20:15 - Updated: 2024-11-21 07:04
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nodejs/node/issues/43994 | Exploit, Issue Tracking, Third Party Advisory | |
| security-advisories@github.com | https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nodejs/node/issues/43994 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:fs2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "750D10F3-1FF8-4173-A44A-ACDE06641472",
"versionEndExcluding": "3.2.11",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection."
},
{
"lang": "es",
"value": "fs2 es una librer\u00eda de E/S de composici\u00f3n para Scala. Cuando es establecido un \"TLSSocket\" en modo servidor usando \"fs2-io\" en Node.js, el par\u00e1metro \"requestCert = true\" es ignorado, la verificaci\u00f3n del certificado del compa\u00f1ero es omitida, y la conexi\u00f3n procede. La vulnerabilidad es limitada a: 1. \"fs2-io\" corriendo en Node.js. La implementaci\u00f3n de TLS en la JVM es completamente independiente. 2. \"TLSSocket\"s en modo servidor. Los \"TLSSocket\" en modo cliente es implementado por medio de una API diferente. 3. mTLS est\u00e1 habilitado por medio de \"requestCert = true\" en \"TLSParameters\". La configuraci\u00f3n por defecto es \"false\" para los \"TLSSocket\" en modo servidor. Es introducida con la implementaci\u00f3n inicial de Node.js de fs2-io en la versi\u00f3n 3.1.0. Ha sido publicado un parche en la versi\u00f3n 3.2.11. Es respetado el par\u00e1metro requestCert = true y es verificado el certificado del compa\u00f1ero. Si la verificaci\u00f3n falla, es lanzada una SSLException. Si es usada una versi\u00f3n sin parche en Node.js, no debe usarse un TLSSocket en modo servidor con requestCert = true para establecer una conexi\u00f3n mTLS"
}
],
"id": "CVE-2022-31183",
"lastModified": "2024-11-21T07:04:04.403",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-01T20:15:08.410",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/nodejs/node/issues/43994"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}