CVE-2025-15444
BaseFortify
Publication date: 2026-01-06
Last updated on: 2026-03-10
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iamb | crypt | to 0.000042 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Crypt::Sodium::XS Perl module versions prior to 0.000042 because they include a vulnerable version of libsodium (version 1.0.20 or earlier). The issue involves the libsodium function crypto_core_ed25519_is_valid_point, which in certain atypical use cases with custom cryptography or untrusted data, mishandles the validation of elliptic curve points. Specifically, it sometimes allows points that are not part of the main cryptographic group, potentially undermining cryptographic security.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing invalid elliptic curve points to be accepted in cryptographic operations, which could weaken the security guarantees of cryptographic protocols relying on libsodium. In scenarios involving custom cryptography or untrusted data, this may lead to cryptographic failures or exploitation, potentially compromising data integrity or confidentiality.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Crypt::Sodium::XS Perl module to version 0.000042 or later, which includes libsodium version 1.0.20-stable or newer that contains the fix for the vulnerability.