Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium
libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 .
The libsodium vulnerability states:
In atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.
{
"cwe_ids": [
"CWE-1395"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/15xxx/CVE-2025-15444.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "0.000042"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "CPANSec"
}