CVE-2025-69277

Description

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory lists packages in the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database?tab=readme-ov-file#supported-ecosystems) that are affected by this vulnerability due to a vulnerable dependency.

How to fix CVE-2025-69277

To remediate CVE-2025-69277, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.19-r1 or later
• —upgrade to 1.0.18-1+deb11u1 or later
• —upgrade to 1.0.18-1+deb11u1 or later
• —upgrade to 1.0.18-1+deb12u1 or later
• —upgrade to 2.5.0 or later
• —upgrade to 3.6.1 or later
• —upgrade to 1.6.2 or later

Is CVE-2025-69277 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 1.0.19-r1
• from 0, < 1.0.18-1+deb11u1
• from 0, < 1.0.18-1+deb11u1
• from 0, < 1.0.18-1+deb12u1
• >= 2, < 2.5.0
• from 0, < 3.6.1
• from 0, < 1.6.2

CVSS scores

References (16)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-69277
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-69277
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-69277
• PATCHgithub.com/paragonie/sodium_compat
• WEB