{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-69277", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2025-12-31T05:50:07.155Z", "datePublished": "2025-12-31T05:50:07.422Z", "dateUpdated": "2026-01-07T17:06:43.302Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "libsodium", "vendor": "libsodium", "versions": [{"lessThan": "ad3004ec8731730e93fcfbbc824e67eadc1c1bae", "status": "affected", "version": "0", "versionType": "git"}]}], "descriptions": [{"lang": "en", "value": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "description": "CWE-184 Incomplete List of Disallowed Inputs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-06T16:38:46.029Z"}, "references": [{"url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}, {"url": "https://00f.net/2025/12/30/libsodium-vulnerability/"}, {"url": "https://news.ycombinator.com/item?id=46435614"}, {"url": "https://ianix.com/pub/ed25519-deployment.html"}, {"url": "https://github.com/pyca/pynacl/issues/920"}, {"url": "https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf"}, {"url": "https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T15:59:09.134600Z", "id": "CVE-2025-69277", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T17:38:32.240Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-07T17:06:43.302Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-07T17:06:43.302Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-02T15:59:09.134600Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T15:59:11.846Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "libsodium", "product": "libsodium", "versions": [{"status": "affected", "version": "0", "lessThan": "ad3004ec8731730e93fcfbbc824e67eadc1c1bae", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}, {"url": "https://00f.net/2025/12/30/libsodium-vulnerability/"}, {"url": "https://news.ycombinator.com/item?id=46435614"}, {"url": "https://ianix.com/pub/ed25519-deployment.html"}, {"url": "https://github.com/pyca/pynacl/issues/920"}, {"url": "https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf"}, {"url": "https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184 Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-06T16:38:46.029Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69277", "state": "PUBLISHED", "dateUpdated": "2026-01-07T17:06:43.302Z", "dateReserved": "2025-12-31T05:50:07.155Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-12-31T05:50:07.422Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group."}, {"lang": "es", "value": "libsodium antes de ad3004e, en casos de uso at\u00edpicos que involucran cierta criptograf\u00eda personalizada o datos no confiables para crypto_core_ed25519_is_valid_point, maneja incorrectamente las comprobaciones sobre si un punto de curva el\u00edptica es v\u00e1lido porque a veces permite puntos que no est\u00e1n en el grupo criptogr\u00e1fico principal."}], "id": "CVE-2025-69277", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-12-31T06:15:41.513", "references": [{"source": "cve@mitre.org", "url": "https://00f.net/2025/12/30/libsodium-vulnerability/"}, {"source": "cve@mitre.org", "url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}, {"source": "cve@mitre.org", "url": "https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7"}, {"source": "cve@mitre.org", "url": "https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf"}, {"source": "cve@mitre.org", "url": "https://github.com/pyca/pynacl/issues/920"}, {"source": "cve@mitre.org", "url": "https://ianix.com/pub/ed25519-deployment.html"}, {"source": "cve@mitre.org", "url": "https://news.ycombinator.com/item?id=46435614"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "libsodium: libsodium: Improper validation of elliptic curve points could lead to data integrity or information disclosure.", "id": "2426416", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426416"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-184", "details": ["libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.", "A flaw was found in libsodium. When processing untrusted data in specific cryptographic operations, the library's crypto_core_ed25519_is_valid_point function incorrectly validates elliptic curve points. This improper validation could allow an attacker to bypass security checks, potentially leading to a compromise of data integrity or the disclosure of sensitive information in certain custom cryptographic implementations."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-69277", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/libsodium", "product_name": "Red Hat Satellite 6"}], "public_date": "2025-12-31T05:50:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-69277\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-69277\nhttps://00f.net/2025/12/30/libsodium-vulnerability/\nhttps://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae\nhttps://ianix.com/pub/ed25519-deployment.html\nhttps://news.ycombinator.com/item?id=46435614"], "statement": "This vulnerability is rated Moderate for Red Hat products as it primarily affects atypical use cases involving custom cryptographic implementations or untrusted data processing with `crypto_core_ed25519_is_valid_point`. Standard libsodium deployments are not expected to be impacted by this flaw.", "threat_severity": "Moderate"}

{}