Scala Security Audit

2026-06-01T00:00:00+02:00

Introduction

Scala is a modern multi-paradigm programming language designed to express common programming patterns in a concise, elegant, and type-safe way. It seamlessly integrates features of object-oriented and functional languages. Over the years, Scala has evolved through several major iterations, with Scala 2 and Scala 3 representing the most significant major versions to date. Scala 3 introduces a modernized syntax, a more consistent type system, and a new compiler. These improvements aim to simplify the language, make code easier to read and maintain, while remaining broadly compatible with existing Scala 2 code. The security audit is particularly focused on Scala 3.

The audit started with a discovery phase in which auditors examined the Scala documentation and source code to understand the project, its security guarantees, and defined the audit scope by designing a threat model. As a second step, a detailed manual code review was conducted to detect vulnerabilities, focusing first on the critical functionalities identified in the threat model. In parallel, automated static analysis tools such as Gadget Inspector and Opengrep were used to scan the codebase for potential security issues. Finally, the auditors performed dynamic testing using fuzzing techniques on the most critical components of the Scala standard library and provided recommendations to address the vulnerabilities found.

Scope

The audit focused on the core components of the Scala ecosystem, including the Scala 3 compiler, its compilation pipeline, generated JVM bytecode, the Scala REPL, the TASTy Inspector, and the Scala documentation generator. The assessment also covered the Scala standard library, particularly collections, concurrency primitives and other utility modules. The threat model addressed two primary threat actors:

malicious end users interacting with Scala applications through exposed interfaces;
malicious developers or operators with privileged access to the source code or build process.

Giving the time frame allow, auditors have chosen to consider out of scope:

vulnerabilities related to compiler mechanisms executing user-provided code;
the Scala 2 compiler;
separated standard library modules such as scala-xml or scala-swing;
third-party dependencies;
runtime environment security issues related to the JVM.

The full report of the assessment can be found on Quarkslab's public reports repository.

Findings

The table below summarizes the findings of the audit. A total of 9 vulnerabilities were identified: 5 of medium severity, 2 of low severity, and 2 informative issues.

ID	Title	Severity	Perimeter
MEDIUM-1	`scala.sys.Process.ProcessBuilderImpl` `AbstractFunction0` may be used as a deserialization gadget	Medium	Scala 3.8-RC1 standard library
MEDIUM-6	Stored XSS vulnerability in Scaladoc	Medium	Scala 3.8-RC1 Scaladoc
MEDIUM-7	Unexpected return value in `scala.collection.SeqOps.indexOfSlice` on empty sequences	Medium	Scala 3.8-RC1 standard library
MEDIUM-8	Uncaught `ParseException` in `scala.sys.process.Parser.tokenize` on unmatched quotes	Medium	Scala 3.8-RC1 standard library
MEDIUM-9	Infinite loop during section loading in `dotty.tools.dotc.core.tasty.TastyUnpickler`	Medium	Scala 3.8-RC1 Dotty
LOW-2	Potential command injection in GitHub Actions CI/CD scripts	Low	Scala 3.8-RC1 GitHub Actions Workflows
LOW-5	Scala Java produced bytecode could lead to conflicts as the compiler doesn’t check for them between generated and user-defined methods	Low	Scala 3.8-RC1 Dotty
INFO-1	Use of non-cryptographically secure random number generator	Info	Scala 3.8-RC1 Dotty compiler
INFO-4	`TastyPrinter` silently skips `.tasty` files in subdirectories of a `.jar`	Info	Scala 3.8-RC1 scala (-print-tasty)

Conclusion

Quarkslab identified several vulnerabilities and implementation bugs within the Scala code base. Most of these issues require specific preconditions to exploit, but their presence still poses a security risk. At the same time, Quarkslab acknowledges the significant security engineering efforts invested by the Scala development team. Alongside the vulnerability disclosures, Quarkslab provided actionable recommendations and mitigation strategies to address the identified issues. By addressing these findings, the Scala maintainers have the opportunity to further improve the robustness of the project, ensuring greater resilience in production environments and strengthening the overall security posture of the Scala ecosystem.

We truly enjoyed collaborating with the OSTIF and we extend our sincere thanks to Scala's Maintenair for his availability, responsiveness, and the constructive discussions that made this collaboration so effective.

Quarkslab's blog - scala

Scala Security Audit

Introduction

Scope

Findings

Conclusion

Further reading