Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

Related CPE's

Could not find any relations

References

https://00f.net/2025/12/30/libsodium-vulnerability/

https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae

https://ianix.com/pub/ed25519-deployment.html

https://news.ycombinator.com/item?id=46435614

Weaknesses

[email protected]

Primary
CWE-184

CVSS impact metrics

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

4.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Received

Published

2025-12-31T06:15:41.513

2 hours ago

Last modified

2025-12-31T06:15:41.513

2 hours ago