CVE-2025-69277

Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

How to fix CVE-2025-69277

To remediate CVE-2025-69277, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.19-r1 or later
• —upgrade to 1.0.18-1+deb11u1 or later
• —upgrade to 1.0.18-1+deb11u1 or later
• —upgrade to 1.0.18-1+deb12u1 or later
• —upgrade to 2.5.0 or later
• —upgrade to 3.6.1 or later
• —upgrade to 1.6.2 or later

Is CVE-2025-69277 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 1.0.19-r1
• from 0, < 1.0.18-1+deb11u1
• from 0, < 1.0.18-1+deb11u1
• from 0, < 1.0.18-1+deb12u1
• >= 2, < 2.5.0
• from 0, < 3.6.1
• from 0, < 1.6.2

CVSS scores

References (16)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-69277
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-69277
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-69277
• PATCHgithub.com/paragonie/sodium_compat
• WEB