The Open Source Technology Improvement Fund is proud to share the results of our security audit of Scala. Scala is a modern multi-paradigm programming language designed to express common programming patterns in a concise, elegant, and type-safe way. It seamlessly integrates features of object-oriented and functional languages. To improve the security and reliability of this widely used open source technology, the Scala team partnered with OSTIF to conduct its first-ever security audit. Thanks to the Sovereign Tech Fund and Quarkslab, the Scala project received custom security work designed to help its short and long term development.
Audit Process
This engagement was executed by a team of three auditors from Quarkslab and was published in March 2026. The audit focused on the standard library shared by Scala 2 and Scala 3. The methodology proceeded through four structured phases:
- Discovery: Exploring Scala’s documentation and source code to understand the project’s architecture and security guarantees, and defining the scope of the audit.
- Threat Modeling: Identifying and prioritizing potential risks in collaboration with OSTIF and the Scala development team.
- Static Analysis and Manual Code Review: In-depth analysis of the codebase using both manual review and automated tools, including Gadget Inspector and Opengrep.
- Dynamic Testing: Coverage-guided fuzzing using Jazzer, LLM-assisted fuzzing targeting the Scala REPL, and manual testing of components such as Scaladoc.
Results
The audit produced 9 total findings across four severity levels:
- 5 Medium
- 2 Low
- 2 Informational
No critical or high severity issues were identified. All issues were fixed by the Scala team before this release. For the full technical details of all findings and the recommended remediation steps, please refer to the full report linked below.
Quarkslab acknowledged the significant security engineering efforts already invested by the Scala development team. Most of the identified issues require specific preconditions to be exploited. Alongside the vulnerability disclosures, Quarkslab provided actionable recommendations and mitigation strategies, giving the Scala maintainers a clear path to further improve the robustness of the project and strengthen the overall security posture of the Scala ecosystem.
Thank You
Thank you to the individuals and groups that made this engagement possible:
- Scala maintainers and community, especially: Darja Jovanovic
- Quarkslab: Samuel Hangouët, Sébastien Rolland, Pauline Sauder, Jean-Christophe Tambrun
- Sovereign Tech Agency
The full report is publicly available.
Read Scala’s blog about the work HERE
This engagement was made possible through the continued advocacy of OSTIF on Scala’s behalf, working over a year with each other to source the funding necessary. OSTIF believes firmly in not just the improvement of open source security but the advocacy needed to secure support for maintainers and foundations involved in open source software.