Vulnerability DatabaseCVE-2025-69277
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-69277
December 31, 2025
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
Affected Packages
hdwallet (PYTHON):
Affected version(s) >=0.1.0a1 <3.6.1
Fix Suggestion:
Update to version 3.6.1
pynacl (PYTHON):
Affected version(s) >=0.1.0 <1.6.2
Fix Suggestion:
Update to version 1.6.2
Related Resources (15)
https://github.com/paragonie/sodium_compat/commit/4714da6efdc782c06690bc72ce34fae7941c2d9f
https://lists.debian.org/debian-lts-announce/2026/01/msg00004.html
https://news.ycombinator.com/item?id=46435614
https://00f.net/2025/12/30/libsodium-vulnerability/
https://00f.net/2025/12/30/libsodium-vulnerability
https://github.com/paragonie/sodium_compat
https://github.com/hdwallet-io/python-hdwallet/pull/124
https://github.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7
https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
https://nvd.nist.gov/vuln/detail/CVE-2025-69277
https://github.com/paragonie/sodium_compat/commit/2cb48f26130919f92f30650bdcc30e6f4ebe45ac
https://github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cf
https://ianix.com/pub/ed25519-deployment.html
https://github.com/pyca/pynacl/issues/920
https://github.com/FriendsOfPHP/security-advisories/blob/master/paragonie/sodium_compat/2025-12-30.yaml
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.1
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.5
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Incomplete List of Disallowed Inputs
CWE-184
EPSS
Base Score:
0.02