{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15444", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-01-03T22:06:02.639Z", "datePublished": "2026-01-06T00:22:50.114Z", "dateUpdated": "2026-01-06T19:01:27.678Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Crypt-Sodium-XS", "product": "Crypt::Sodium::XS", "vendor": "IAMB", "versions": [{"lessThan": "0.000042", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Crypt::Sodium::XS module versions prior to&nbsp;0.000042,&nbsp;for Perl, include a vulnerable version of libsodium<br><br>libsodium &lt;= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cve.org/CVERecord?id=CVE-2025-69277\">https://www.cve.org/CVERecord?id=CVE-2025-69277</a>.<br><br>The libsodium vulnerability states:<br><br>In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.<br><br>0.000042 includes a version of&nbsp;libsodium updated to 1.0.20-stable, <span style=\"background-color: rgb(255, 255, 255);\">released January 3, 2026, which includes a fix for the vulnerability.</span><br>"}], "value": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium\n\nlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277\u00a0 https://www.cve.org/CVERecord?id=CVE-2025-69277 .\n\nThe libsodium vulnerability states:\n\nIn atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.\n\n0.000042 includes a version of\u00a0libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1395", "description": "CWE-1395 Dependency on Vulnerable Third-Party Component", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-01-06T00:22:50.114Z"}, "references": [{"url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}, {"url": "https://00f.net/2025/12/30/libsodium-vulnerability/"}, {"tags": ["release-notes"], "url": "https://metacpan.org/dist/Crypt-Sodium-XS/changes"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to version&nbsp;0.000042 or later"}], "value": "Upgrade to version\u00a00.000042 or later"}], "source": {"discovery": "UPSTREAM"}, "title": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:23:55.371687Z", "id": "CVE-2025-15444", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:01:27.678Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15444", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-01-03T22:06:02.639Z", "datePublished": "2026-01-06T00:22:50.114Z", "dateUpdated": "2026-01-06T19:01:27.678Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Crypt-Sodium-XS", "product": "Crypt::Sodium::XS", "vendor": "IAMB", "versions": [{"lessThan": "0.000042", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Crypt::Sodium::XS module versions prior to&nbsp;0.000042,&nbsp;for Perl, include a vulnerable version of libsodium<br><br>libsodium &lt;= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cve.org/CVERecord?id=CVE-2025-69277\">https://www.cve.org/CVERecord?id=CVE-2025-69277</a>.<br><br>The libsodium vulnerability states:<br><br>In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.<br><br>0.000042 includes a version of&nbsp;libsodium updated to 1.0.20-stable, <span style=\"background-color: rgb(255, 255, 255);\">released January 3, 2026, which includes a fix for the vulnerability.</span><br>"}], "value": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium\n\nlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277\u00a0 https://www.cve.org/CVERecord?id=CVE-2025-69277 .\n\nThe libsodium vulnerability states:\n\nIn atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.\n\n0.000042 includes a version of\u00a0libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1395", "description": "CWE-1395 Dependency on Vulnerable Third-Party Component", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-01-06T00:22:50.114Z"}, "references": [{"url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}, {"url": "https://00f.net/2025/12/30/libsodium-vulnerability/"}, {"tags": ["release-notes"], "url": "https://metacpan.org/dist/Crypt-Sodium-XS/changes"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to version&nbsp;0.000042 or later"}], "value": "Upgrade to version\u00a00.000042 or later"}], "source": {"discovery": "UPSTREAM"}, "title": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:23:55.371687Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:23:58.300Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:iamb:crypt\\:\\:sodium\\:\\:xs:*:*:*:*:*:perl:*:*", "matchCriteriaId": "E80FE07D-4150-4B71-A86C-3B70286E3E1D", "versionEndExcluding": "0.000042", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Crypt::Sodium::XS module versions prior to\u00a00.000042,\u00a0for Perl, include a vulnerable version of libsodium\n\nlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277\u00a0 https://www.cve.org/CVERecord?id=CVE-2025-69277 .\n\nThe libsodium vulnerability states:\n\nIn atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.\n\n0.000042 includes a version of\u00a0libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability."}], "id": "CVE-2025-15444", "lastModified": "2026-03-10T17:00:25.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-06T01:16:01.240", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://00f.net/2025/12/30/libsodium-vulnerability/"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product", "Release Notes"], "url": "https://metacpan.org/dist/Crypt-Sodium-XS/changes"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "libsodium: libsodium: Cryptographic bypass via improper elliptic curve point validation", "id": "2427278", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427278"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-1395", "details": ["A flaw was found in libsodium, a cryptographic library used for secure communication. When processing certain custom cryptographic data or untrusted inputs, the library's `crypto_core_ed25519_is_valid_point` function incorrectly validates elliptic curve points. This oversight could allow an attacker to bypass cryptographic security measures, potentially compromising the confidentiality and integrity of sensitive data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-15444", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "libsodium", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/libsodium", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-01-06T00:22:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-15444\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15444\nhttps://00f.net/2025/12/30/libsodium-vulnerability/\nhttps://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae\nhttps://metacpan.org/dist/Crypt-Sodium-XS/changes"], "statement": "This vulnerability is rated Moderate for Red Hat products as it affects the libsodium cryptographic library. The flaw in `crypto_core_ed25519_is_valid_point` allows for cryptographic bypass in atypical use cases involving custom cryptography or untrusted data. This could compromise the confidentiality and integrity of sensitive data in affected Red Hat OpenStack Platform, Red Hat Developer Hub, and Red Hat Satellite deployments.", "threat_severity": "Moderate"}

{"created": "2026-01-08T09:50:06.221197+00:00", "updated": "2026-01-08T09:50:06.221222+00:00", "vendors": ["perl", "perl$PRODUCT$crypt::sodium::xs"]}