{"id":"CVE-2025-69277","details":"libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.","aliases":["GHSA-mrfv-m5wm-5w6w"],"modified":"2026-04-16T04:36:45.058231605Z","published":"2025-12-31T06:15:41.513Z","related":["CGA-3w6r-7hgh-chw3","SUSE-SU-2026:0368-1","SUSE-SU-2026:0482-1","SUSE-SU-2026:20448-1","SUSE-SU-2026:20484-1","openSUSE-SU-2026:10130-1"],"references":[{"type":"WEB","url":"https://ianix.com/pub/ed25519-deployment.html"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=46435614"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html"},{"type":"WEB","url":"https://00f.net/2025/12/30/libsodium-vulnerability/"},{"type":"REPORT","url":"https://github.com/pyca/pynacl/issues/920"},{"type":"FIX","url":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7"},{"type":"FIX","url":"https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf"},{"type":"FIX","url":"https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jedisct1/libsodium","events":[{"introduced":"0"},{"fixed":"ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}]},{"type":"GIT","repo":"https://github.com/pyca/pynacl","events":[{"introduced":"0"},{"fixed":"96314884d88d1089ff5f336dba61d7abbcddbbf7"}]},{"type":"GIT","repo":"https://github.com/pyca/pynacl","events":[{"introduced":"0"},{"fixed":"ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf"}]}],"versions":["0.1","0.2","0.3","0.4","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.5.0","0.6.1","0.7.0","0.7.1","1.0","1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17-RELEASE","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.5.0","1.6.0","1.6.1","v0.1.0","v0.2.0","v0.2.1","v0.2.2","v0.2.3","v0.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69277.json","vanir_signatures":[{"signature_version":"v1","signature_type":"Line","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","id":"CVE-2025-69277-0eebc82f","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["212545448405461152803791335135381267992","312151617226326667937593172010765607184","128278506161363206868872993598123823558","97497220593994685154155231351966729460","310808618129524909767814430476004010864","154768585138651621607283027763529720073","180696666794389501438063077626441674698","150740775544592619137927485032492522528","253400393258293317607046817605801537889","255691829547427693948759257568608812603"]},"target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream_xsalsa20.h"}},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae","id":"CVE-2025-69277-19ea9e1a","deprecated":false,"digest":{"length":15913,"function_hash":"271864492409172204729158493267951380532"},"target":{"file":"test/default/core_ed25519.c","function":"main"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Function","id":"CVE-2025-69277-1beb1521","deprecated":false,"digest":{"length":2544,"function_hash":"131398867109942479293434355925474420725"},"target":{"file":"src/libsodium/test/default/kdf_hkdf.c","function":"tv_kdf_hkdf"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Function","id":"CVE-2025-69277-20b32581","target":{"file":"src/libsodium/src/libsodium/crypto_aead/aegis256/aead_aegis256.c","function":"crypto_aead_aegis256_decrypt_detached"},"digest":{"length":574,"function_hash":"114222562660225395884701128546251842119"},"deprecated":false},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-2cf27545","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["148238756903952498516459527517699170239"]},"target":{"file":"src/libsodium/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.h"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-31afbf34","deprecated":false,"digest":{"line_hashes":["35763523153553856297749739822295708132","312151617226326667937593172010765607184","320520205424720240201807941609053313374","330301186823042395155303222349190063360","58224188167111022504761544212561448149","93299447852417317163792918148399519125","180696666794389501438063077626441674698","150740775544592619137927485032492522528","20517079455102808591930632087852455797","297096546128251582609800710212822579643"],"threshold":0.9},"target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream_xchacha20.h"}},{"signature_version":"v1","source":"https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae","signature_type":"Line","id":"CVE-2025-69277-39af8400","deprecated":false,"digest":{"line_hashes":["241291362390970966119687003418518640000","148998168988971462501772092656155965283","180662736039736298842660616799743332709","236781085191269839238480224756322864215","244725727458201247031675736095252993838","11419066337079980079544781403154436620","207472804640406634179816897796173202","40219272335220661788972820483796946923","64018105627283189161448413090029376271","250432648790730546764706619234776830385","251242987065344112180028105881764441916"],"threshold":0.9},"target":{"file":"test/default/core_ed25519.c"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-3f16fc82","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["271663594888348870267900484049100300630","290771201144189714746254621497741573569","144383736438328453684736026435437667810","273911687074447114566193087324323294498"]},"target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream_salsa208.h"}},{"signature_version":"v1","signature_type":"Line","source":"https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae","id":"CVE-2025-69277-52bcd3fc","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["85590579739442630473906153250189822304","240838851987162662003026314670961205689","321302984625379645327288223242572254769","152774947681641221797454343977315974438","208498853723714622487037809059887703408","328476950466293324903342946523090922299"]},"target":{"file":"src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c"}},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","id":"CVE-2025-69277-5aedfddf","deprecated":false,"digest":{"length":3579,"function_hash":"274013126951256067048460190524740750409"},"target":{"file":"src/libsodium/test/default/scalarmult_ed25519.c","function":"main"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-5e41f4cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["109114691463905260914974025536239080913","127618696265037936443085496967502856630","68735696391077202236332826559617805423","337215013836031058368149537683350340962","175061422976152892148562976048188341927","77097099692605930375766013882892308545"]},"target":{"file":"src/libsodium/src/libsodium/crypto_aead/aegis256/aead_aegis256.c"}},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae","id":"CVE-2025-69277-6d6782e4","deprecated":false,"digest":{"length":113,"function_hash":"225152862173646219701680893385147273816"},"target":{"file":"src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c","function":"ge25519_is_on_main_subgroup"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-72d66064","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["315816786737262108165202358389495448512","63845873964713730487360122376010485090","229950918726258728907489947566772076964","273579080591120347021954521321661968276","173279987079037933167545833818492674785","261691840954649791837391579856369186657"]},"target":{"file":"src/libsodium/src/libsodium/crypto_aead/aegis128l/aead_aegis128l.c"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-743fdac7","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["241291362390970966119687003418518640000","148998168988971462501772092656155965283","180662736039736298842660616799743332709","236781085191269839238480224756322864215","244725727458201247031675736095252993838","11419066337079980079544781403154436620","207472804640406634179816897796173202","40219272335220661788972820483796946923","64018105627283189161448413090029376271","250432648790730546764706619234776830385","251242987065344112180028105881764441916"]},"target":{"file":"src/libsodium/test/default/core_ed25519.c"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-7e31737c","deprecated":false,"digest":{"line_hashes":["241291362390970966119687003418518640000","312918036739247308043503356467190296038","158559001847653613136767610019623610478","125622564604679912747539859045396713679","204909454247726381801900882331589224786","138331253836022516973903582413033525227","168782483951090409016968964341208348521","208436452155015170044394156512511759067","8412632994326004333787799909632862415","181169542606285486452651058738837453432","271274064408363807014986156343647420237"],"threshold":0.9},"target":{"file":"src/libsodium/test/default/scalarmult_ed25519.c"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-872a6ad1","deprecated":false,"digest":{"line_hashes":["110905110663799704070307190265979675473","312151617226326667937593172010765607184","114644993365556307877545538298049237298","301657286825928127307668976892071062372"],"threshold":0.9},"target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream_salsa2012.h"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-87c5da57","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["308260423799822450319674702526506087449","88941942348244197780106375069153521451","91481388705350097720418432703299415795","85590579739442630473906153250189822304","240838851987162662003026314670961205689","321302984625379645327288223242572254769","152774947681641221797454343977315974438","208498853723714622487037809059887703408","328476950466293324903342946523090922299"]},"target":{"file":"src/libsodium/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c"}},{"signature_version":"v1","signature_type":"Line","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","id":"CVE-2025-69277-b373aef4","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["56799338321303892359028336369590536892","312151617226326667937593172010765607184","223492868826046591829566589719464576446","271331698987622438945788443888597290917","230569891340459460316832453014886170335","250420568705887507072681605060992754004","180696666794389501438063077626441674698","150740775544592619137927485032492522528","44282700865741357120391590270064546506","172092357026757331258662055269556528344","309817107654374342265374800337701307366","312151617226326667937593172010765607184","4258598611968943916318688929684843691","330059936811685925238151476075527154483","316777970530916073148832072820481687604","58199976541136397119408103053085757290","311434568642645167588838143272917246909","291343254744615363536627036247921219340","254755483956675616987411518026069903040","333399013983039306692956243736839123602"]},"target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream_chacha20.h"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Function","id":"CVE-2025-69277-b74ddaae","target":{"file":"src/libsodium/test/default/core_ed25519.c","function":"main"},"digest":{"length":17406,"function_hash":"264625072053653314383393154503339269395"},"deprecated":false},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-ba710713","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["42733275492900604185315508785770941150","312151617226326667937593172010765607184","47633753536891534681112854856235915492","53432262892220890662879486834851705911","242187286509258097631392794339366758052","152676262903635342471358767692724277176","180696666794389501438063077626441674698","150740775544592619137927485032492522528","257461800639106252464493145063608392059","9472073518650453918962973449764252768"]},"target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream_salsa20.h"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Line","id":"CVE-2025-69277-e1ca9b51","target":{"file":"src/libsodium/src/libsodium/include/sodium/crypto_stream.h"},"digest":{"threshold":0.9,"line_hashes":["196080584037148168841616985332982980336","312151617226326667937593172010765607184","32910570611504010648486574325371451024","96679906918251537214662553327687944998"]},"deprecated":false},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","id":"CVE-2025-69277-e5477171","deprecated":false,"digest":{"length":642,"function_hash":"138729168927948144710317439932015631584"},"target":{"file":"src/libsodium/src/libsodium/crypto_aead/aegis256/aead_aegis256.c","function":"crypto_aead_aegis256_encrypt_detached"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Function","id":"CVE-2025-69277-f27b4634","deprecated":false,"digest":{"length":645,"function_hash":"10896568595684321769119659255294663110"},"target":{"file":"src/libsodium/src/libsodium/crypto_aead/aegis128l/aead_aegis128l.c","function":"crypto_aead_aegis128l_encrypt_detached"}},{"signature_version":"v1","signature_type":"Line","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","id":"CVE-2025-69277-f5b370e3","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["5341216938120920449918138990777926469","324967100711596872117223212499567287089","228689071439774033045939807618309251020","156688743998471874410638012048967895257"]},"target":{"file":"src/libsodium/test/default/kdf_hkdf.c"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Function","id":"CVE-2025-69277-fd2b48e3","deprecated":false,"digest":{"length":113,"function_hash":"225152862173646219701680893385147273816"},"target":{"file":"src/libsodium/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c","function":"ge25519_is_on_main_subgroup"}},{"signature_version":"v1","source":"https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7","signature_type":"Function","id":"CVE-2025-69277-ffdefbf6","deprecated":false,"digest":{"length":577,"function_hash":"73575649920423088164001204825866035319"},"target":{"file":"src/libsodium/src/libsodium/crypto_aead/aegis128l/aead_aegis128l.c","function":"crypto_aead_aegis128l_decrypt_detached"}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"ad3004e"}]}],"vanir_signatures_modified":"2026-04-12T22:06:22Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}