CVE-2025-15444
- Source
- https://cve.org/CVERecord?id=CVE-2025-15444
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15444.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-15444
- Downstream
- Related
- Published
- 2026-01-06T01:16:01.240Z
- Modified
- 2026-02-13T16:58:52.588233Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium
libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 .
The libsodium vulnerability states:
In atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.
- References
Affected packages
Git / github.com/jedisct1/libsodium
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jedisct1/libsodium
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1
0.2
0.3
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.5.0
0.6.0
0.6.1
0.7.0
0.7.1
1.*
1.0.0
1.0.1
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17-RELEASE
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15444.json"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-15444-19ea9e1a",
"source": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae",
"target": {
"file": "test/default/core_ed25519.c",
"function": "main"
},
"signature_type": "Function",
"digest": {
"function_hash": "271864492409172204729158493267951380532",
"length": 15913.0
}
},
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-15444-39af8400",
"source": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae",
"target": {
"file": "test/default/core_ed25519.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"241291362390970966119687003418518640000",
"148998168988971462501772092656155965283",
"180662736039736298842660616799743332709",
"236781085191269839238480224756322864215",
"244725727458201247031675736095252993838",
"11419066337079980079544781403154436620",
"207472804640406634179816897796173202",
"40219272335220661788972820483796946923",
"64018105627283189161448413090029376271",
"250432648790730546764706619234776830385",
"251242987065344112180028105881764441916"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-15444-52bcd3fc",
"source": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae",
"target": {
"file": "src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c"
},
"signature_type": "Line",
"digest": {
"line_hashes": [
"85590579739442630473906153250189822304",
"240838851987162662003026314670961205689",
"321302984625379645327288223242572254769",
"152774947681641221797454343977315974438",
"208498853723714622487037809059887703408",
"328476950466293324903342946523090922299"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-15444-6d6782e4",
"source": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae",
"target": {
"file": "src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c",
"function": "ge25519_is_on_main_subgroup"
},
"signature_type": "Function",
"digest": {
"function_hash": "225152862173646219701680893385147273816",
"length": 113.0
}
}
]