CRITICAL🇵🇱 Wersja polska

CVE-2025-15444

CVSS 9.8v3.1pub. 2026-01-06upd. 2026-03-10

Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

🤖 AI Analysis
How it works

The vulnerability (CWE-347 — improper verification of cryptographic signature) lies in the crypto_core_ed25519_is_valid_point function in the libsodium library in versions 1.0.20 or older released before December 30, 2025. In certain non-standard use cases — such as custom cryptography or processing untrusted data — this function accepts elliptic curve points that do not belong to the main cryptographic group. An attacker can provide a crafted, seemingly valid curve point that passes verification despite being mathematically incorrect from a cryptographic security perspective.

Impact

An attacker can potentially bypass cryptographic verifications, which in the appropriate application context may lead to violations of confidentiality, integrity, and availability of protected data — hence the CVSS score of 9.8 (CRITICAL).

Mitigation & patch

The Crypt::Sodium::XS module should be updated to version 0.000042 or newer, which includes libsodium updated to version 1.0.20-stable released on January 3, 2026 and containing the patch for this vulnerability. Details are available in the vendor references and in the changelog on metacpan.org.

Who is affected

Perl module Crypt::Sodium::XS in versions earlier than 0.000042, containing libsodium version <= 1.0.20 released before December 30, 2025.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Iamb Crypt\

    APP
    Iamb
    \
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-30910HIGH7.5ten sam produkt

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryptio...