CVE-2025-69277

Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

CVSS v3.1 Score

4.5

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Weakness Type (CWE)

CWE-184 CWE-184

References

Other References

https://00f.net/2025/12/30/libsodium-vulnerability/ https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7 https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf https://github.com/pyca/pynacl/issues/920 https://ianix.com/pub/ed25519-deployment.html https://news.ycombinator.com/item?id=46435614 https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html

Frequently Asked Questions

What is CVE-2025-69277? +

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. It has a CVSS v3.1 base score of 4.5 (MEDIUM).

How severe is CVE-2025-69277? +

CVE-2025-69277 has a CVSS v3.1 score of 4.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

How do I check if I'm vulnerable to CVE-2025-69277? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-51745 10.0

Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device …

CVE-2026-41264 9.8

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the …

CVE-2024-5217 9.8

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. …

CVE-2025-1716 9.8

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses …

CVE-2026-34415 9.8

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails …

CVE-2025-58361 9.3

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme …