CPANSA-Crypt-Sodium-XS-2025-15444: Crypt-Sodium-XS vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-01-06T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-01-06T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 9.8 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.
Vulnerabilities
CVE-2025-15444
Vulnerability DescriptionCrypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium
libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 .
The libsodium vulnerability states:
In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Crypt-Sodium-XS less than 0.000042 |
|
Fixed
- Crypt-Sodium-XS greater than or equal 0.000042
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Crypt-Sodium-XS-2025-15444 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-crypt-sodium-xs-2025-15444.json - https://00f.net/2025/12/30/libsodium-vulnerability/ external
https://00f.net/2025/12/30/libsodium-vulnerability/ - https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae external
https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae - https://metacpan.org/dist/Crypt-Sodium-XS/changes external
https://metacpan.org/dist/Crypt-Sodium-XS/changes - CVE-2025-15444 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2025-15444
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Tue Jan 6 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/