Crypt::Sodium::XS Vulnerable Version Bundles Libsodium with Elliptic Curve Validation Flaw

A vulnerability exists in the Crypt::Sodium::XS Perl module, specifically in versions prior to 0.000042, which bundle a vulnerable version of libsodium (libsodium through 1.0.20) or a version released before December 30, 2025. The libsodium vulnerability, identified as CVE-2025-69277, pertains to the function crypto_core_ed25519_is_valid_point, which improperly validated elliptic curve points, allowing some invalid points to be accepted as valid. This issue could affect users implementing custom cryptography with untrusted data.

Impact

The vulnerability could lead to incorrect validation of elliptic curve points in cryptographic applications, potentially allowing flawed points to be used in signatures or other operations, according to the Crypt::Sodium::XS author.

Reproduction

To reproduce this vulnerability, use Crypt::Sodium::XS version 0.000041 or earlier with a point release of libsodium through 1.0.20, or a version released before December 30, 2025. Validate points from untrusted sources using the crypto_core_ed25519_is_valid_point function, which will incorrectly accept some invalid points as valid.

Remediation

Update to Crypt::Sodium::XS version 0.000042 or later, which includes the patched version of libsodium. Users of an externally-provided libsodium must update that library to a non-vulnerable version.