4.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-69277

CVE-2025-69277: libsodium has Incomplete List of Disallowed Inputs

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-69277

CVE-2025-69277:

4.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
paragonie/sodium_compat	composer	>= 2, < 2.5.0	2.5.0
paragonie/sodium_compat	composer	< 1.24.0	1.24.0
PyNaCl

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-69277, stems from an incomplete check in the crypto_core_ed25519_is_valid_point function of the libsodium library. This function is responsible for validating if an Ed25519 elliptic curve point is on the main cryptographic subgroup. The original implementation only checked if the X-coordinate of the point (after multiplication by the curve's cofactor) was zero, but failed to check the other coordinates. This allowed certain invalid points, which are not part of the main subgroup, to be accepted as valid.

This vulnerability affects multiple packages that use libsodium or implement its logic:

libsodium: The core vulnerability lies in the ge25519_is_on_main_subgroup C function, which is called by crypto_core_ed25519_is_valid_point. The patch ad3004ec8731730e93fcfbbc824e67eadc1c1bae corrects this by adding a check to ensure that Y-Z is also zero, thus fully validating the point as the identity element.
PyNaCl and hdwallet: These Python packages bundle the libsodium library. They are vulnerable because they expose the flawed crypto_core_ed25519_is_valid_point functionality. Any operation in these libraries that involves verifying an Ed25519 public key would be affected. The fix for these packages was to update the bundled libsodium to a patched version.
paragonie/sodium_compat: This is a pure PHP reimplementation of the libsodium library. It had a similar vulnerability where functions accepting public keys (pk_to_curve25519, verify_detached, and File::verify) either had an incomplete check or were missing the check for the public key being on the main subgroup entirely. The patches 2cb48f26130919f92f30650bdcc30e6f4ebe45ac and 4714da6efdc782c06690bc72ce34fae7941c2d9f introduced a new function, is_on_main_subgroup, and added calls to it in the vulnerable functions to ensure proper validation of public keys.

Vulnerable functions

ge25519_is_on_main_subgroup

src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c

This internal function in libsodium had an incomplete check to validate if a point is on the main subgroup. It only checked if the X coordinate was zero after multiplication with the cofactor, but did not check the Y and Z coordinates. This allowed points not on the main subgroup to be considered valid.

crypto_core_ed25519_is_valid_point

src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c

This is the primary function identified in the CVE for validating an Ed25519 point. It was vulnerable because it relied on the incomplete logic of `ge25519_is_on_main_subgroup`. The patch to the underlying function fixes this vulnerability. This function is used by PyNaCl and hdwallet.

ParagonIE_Sodium_Core_Ed25519::pk_to_curve25519

src/Core/Ed25519.php

This function in paragonie/sodium_compat, used for converting a public key to a curve point, had an insufficient validation check for the public key. The patch replaces the incomplete check with a call to the new `is_on_main_subgroup` function to ensure the key is on the main subgroup.

ParagonIE_Sodium_Core_Ed25519::verify_detached

src/Core/Ed25519.php

This function in paragonie/sodium_compat, used for verifying a detached signature, was vulnerable because it did not validate that the public key was on the main subgroup. The patch adds a call to `is_on_main_subgroup` to perform this validation.

ParagonIE_Sodium_File::verify

src/File.php

This function in paragonie/sodium_compat, used for verifying a file signature, was vulnerable because it did not validate that the public key was on the main subgroup. The patch adds a call to `is_on_main_subgroup` to perform this validation.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-69277: libsodium has Incomplete List of Disallowed Inputs

CVE-2025-69277:

4.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-69277: libsodium has Incomplete List of Disallowed Inputs

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.5

4.5

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI