Authors Sébastien Rolland, Samuel Hangouet
Category Software
Tags audit, OSTIF, software, scala, 2026
The Scala team has partnered with the Open Source Technology Improvement Fund (OSTIF) to conduct its first security audit. This initiative aims to identify potential vulnerabilities through static and dynamic analysis and provide greater confidence in Scala. The security audit conducted by Quarkslab is particularly focused on Scala 3.
Introduction
Scala is a modern multi-paradigm programming language designed to express common programming patterns in a concise, elegant, and type-safe way. It seamlessly integrates features of object-oriented and functional languages. Over the years, Scala has evolved through several major iterations, with Scala 2 and Scala 3 representing the most significant major versions to date. Scala 3 introduces a modernized syntax, a more consistent type system, and a new compiler. These improvements aim to simplify the language, make code easier to read and maintain, while remaining broadly compatible with existing Scala 2 code. The security audit is particularly focused on Scala 3.
The audit started with a discovery phase in which auditors examined the Scala documentation and source code to understand the project, its security guarantees, and defined the audit scope by designing a threat model. As a second step, a detailed manual code review was conducted to detect vulnerabilities, focusing first on the critical functionalities identified in the threat model. In parallel, automated static analysis tools such as Gadget Inspector and Opengrep were used to scan the codebase for potential security issues. Finally, the auditors performed dynamic testing using fuzzing techniques on the most critical components of the Scala standard library and provided recommendations to address the vulnerabilities found.
Scope
The audit focused on the core components of the Scala ecosystem, including the Scala 3 compiler, its compilation pipeline, generated JVM bytecode, the Scala REPL, the TASTy Inspector, and the Scala documentation generator. The assessment also covered the Scala standard library, particularly collections, concurrency primitives and other utility modules. The threat model addressed two primary threat actors:
- malicious end users interacting with Scala applications through exposed interfaces;
- malicious developers or operators with privileged access to the source code or build process.
Giving the time frame allow, auditors have chosen to consider out of scope:
- vulnerabilities related to compiler mechanisms executing user-provided code;
- the Scala 2 compiler;
- separated standard library modules such as scala-xml or scala-swing;
- third-party dependencies;
- runtime environment security issues related to the JVM.
The full report of the assessment can be found on Quarkslab's public reports repository.
Findings
The table below summarizes the findings of the audit. A total of 9 vulnerabilities were identified: 5 of medium severity, 2 of low severity, and 2 informative issues.
| ID | Title | Severity | Perimeter |
|---|---|---|---|
| MEDIUM-1 | `scala.sys.Process.ProcessBuilderImpl` `AbstractFunction0` may be used as a deserialization gadget | Medium | Scala 3.8-RC1 standard library |
| MEDIUM-6 | Stored XSS vulnerability in Scaladoc | Medium | Scala 3.8-RC1 Scaladoc |
| MEDIUM-7 | Unexpected return value in `scala.collection.SeqOps.indexOfSlice` on empty sequences | Medium | Scala 3.8-RC1 standard library |
| MEDIUM-8 | Uncaught `ParseException` in `scala.sys.process.Parser.tokenize` on unmatched quotes | Medium | Scala 3.8-RC1 standard library |
| MEDIUM-9 | Infinite loop during section loading in `dotty.tools.dotc.core.tasty.TastyUnpickler` | Medium | Scala 3.8-RC1 Dotty |
| LOW-2 | Potential command injection in GitHub Actions CI/CD scripts | Low | Scala 3.8-RC1 GitHub Actions Workflows |
| LOW-5 | Scala Java produced bytecode could lead to conflicts as the compiler doesn’t check for them between generated and user-defined methods | Low | Scala 3.8-RC1 Dotty |
| INFO-1 | Use of non-cryptographically secure random number generator | Info | Scala 3.8-RC1 Dotty compiler |
| INFO-4 | `TastyPrinter` silently skips `.tasty` files in subdirectories of a `.jar` | Info | Scala 3.8-RC1 *scala (-print-tasty)* |
Conclusion
Quarkslab identified several vulnerabilities and implementation bugs within the Scala code base. Most of these issues require specific preconditions to exploit, but their presence still poses a security risk. At the same time, Quarkslab acknowledges the significant security engineering efforts invested by the Scala development team. Alongside the vulnerability disclosures, Quarkslab provided actionable recommendations and mitigation strategies to address the identified issues. By addressing these findings, the Scala maintainers have the opportunity to further improve the robustness of the project, ensuring greater resilience in production environments and strengthening the overall security posture of the Scala ecosystem.
We truly enjoyed collaborating with the OSTIF and we extend our sincere thanks to Scala's Maintenair for his availability, responsiveness, and the constructive discussions that made this collaboration so effective.