CVE-2025-69277: libsodium has Incomplete List of Disallowed Inputs
(updated )
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren’t in the main cryptographic group.
This advisoory lists packages in the GitHub Advisory Database’s supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.
References
- 00f.net/2025/12/30/libsodium-vulnerability
- github.com/FriendsOfPHP/security-advisories/blob/master/paragonie/sodium_compat/2025-12-30.yaml
- github.com/advisories/GHSA-mrfv-m5wm-5w6w
- github.com/hdwallet-io/python-hdwallet/pull/124
- github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
- github.com/paragonie/sodium_compat
- github.com/paragonie/sodium_compat/commit/2cb48f26130919f92f30650bdcc30e6f4ebe45ac
- github.com/paragonie/sodium_compat/commit/4714da6efdc782c06690bc72ce34fae7941c2d9f
- github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7
- github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf
- github.com/pyca/pynacl/issues/920
- ianix.com/pub/ed25519-deployment.html
- lists.debian.org/debian-lts-announce/2026/01/msg00004.html
- news.ycombinator.com/item?id=46435614
- nvd.nist.gov/vuln/detail/CVE-2025-69277
Code Behaviors & Features
Detect and mitigate CVE-2025-69277 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →