Related upstream issue: CVE-2025-69277 (libsodium)
Affected component: Crypt::Sodium::XS (Perl module)
Affected versions: All versions prior to 0.000042
Fixed version: 0.000042
Underlying library: libsodium ≤ 1.0.20 (pre–Dec 30, 2025 builds)
Summary
CVE-2025-15444 is a supply-chain vulnerability in the Perl module Crypt::Sodium::XS. The module bundles or links against a vulnerable build of libsodium, which itself is affected by CVE-2025-69277.
The root problem is an incomplete validation of elliptic curve points in the function crypto_core_ed25519_is_valid_point. Under certain non-standard or adversarial conditions, the function may incorrectly treat invalid or low-order points as valid. This weakens cryptographic guarantees and can lead to authentication bypasses, signature misuse, or protocol-level attacks.
Version 0.000042 of Crypt::Sodium::XS updates libsodium to 1.0.20-stable (released January 3, 2026), which fully addresses the issue.
Severity & Risk Overview
- CVSS v3.1 Score: Not officially published at the time of writing
- Estimated Severity: High
- Attack Complexity: Medium
- Privileges Required: None
- User Interaction: None
- Impact Scope: Cryptographic integrity and authentication
While the vulnerability does not automatically lead to remote code execution, it undermines trust in cryptographic operations, which is critical in authentication, signing, and secure messaging systems.
Exploitability
- Exploitability: Context-dependent
- Public exploit (PoC): No public proof-of-concept observed
- Weaponization status: Low, but feasible for skilled attackers
This vulnerability does not trigger in common, well-implemented cryptographic workflows. It becomes exploitable when:
- Applications accept untrusted or attacker-controlled curve points
- Custom cryptographic protocols are built on top of Ed25519 primitives
- Developers rely on
crypto_core_ed25519_is_valid_pointas a strict validator without additional safeguards
In such cases, an attacker may submit a crafted elliptic curve point that passes validation but does not belong to the main subgroup, allowing subtle cryptographic manipulation.
How This Can Be Exploited
Think of elliptic curve points like ID cards used in cryptography. The vulnerable function checks if an ID card “looks real” but, in rare cases, fails to confirm it belongs to the correct issuing authority.
An attacker who understands elliptic curve math could:
- Send a specially crafted public key or signature component
- Trick the system into accepting it as valid
- Influence cryptographic outcomes such as:
- Forged authentication attempts
- Invalid signature acceptance
- Weakening of zero-knowledge or multi-party protocols
This is especially dangerous in custom crypto designs, where assumptions about point validity are critical.
Technical Root Cause
- Function involved:
crypto_core_ed25519_is_valid_point - Issue type: Improper subgroup membership validation
- What goes wrong:
- Some invalid points pass validation
- These points lie outside the main Ed25519 subgroup
- Cryptographic invariants are broken in edge cases
The fix in libsodium tightens mathematical checks to ensure only valid subgroup points are accepted.
MITRE ATT&CK Mapping
- T1552 – Unsecured Credentials (Indirect cryptographic weakening)
- T1600 – Weaken Encryption
- T1040 – Network Sniffing (Follow-on risk if authentication is weakened)
- T1649 – Steal or Forge Authentication Material
This vulnerability primarily supports credential and trust manipulation, rather than direct exploitation.
Detection & Monitoring Guidance
What to Look For
This issue does not produce obvious crashes or errors. Detection relies on behavioral and cryptographic context awareness.
Possible indicators:
- Repeated failures followed by unexpected authentication success
- Acceptance of unusual or malformed public keys
- Non-standard Ed25519 point lengths or encodings
- Anomalies in signature verification logic
Recommended Log Sources
- Application authentication logs
- Cryptographic validation failure logs
- API request logs involving key exchange or signature verification
- Debug-level crypto or security audit logs
Detection Rules
- Flag Ed25519 validation events where:
- The same key alternates between valid/invalid states
- Validation succeeds but subsequent crypto operations behave abnormally
- Monitor for:
- Excessive calls to point validation functions
- Inputs that deviate from standard Ed25519 encodings
Payload Characteristics
- Non-canonical elliptic curve points
- Low-order or small-subgroup points
- Public keys that pass validation but fail mathematical subgroup checks
These payloads are not human-readable and require cryptographic tooling to generate.
Impact Assessment
| Area | Impact |
|---|---|
| Authentication | Potential bypass or weakening |
| Digital signatures | Possible misuse or incorrect validation |
| Secure messaging | Trust assumptions may be violated |
| Compliance | Cryptographic assurance no longer guaranteed |
Remediation & Mitigation
Immediate Actions
- Upgrade
Crypt::Sodium::XSto version 0.000042 or later - Verify the bundled or linked libsodium version is 1.0.20-stable or newer
- Rebuild applications to ensure no older static library remains
Official Patch
- libsodium 1.0.20-stable (January 3, 2026)
https://download.libsodium.org/libsodium/releases/libsodium-1.0.20-stable.tar.gz
Additional Hardening
- Avoid accepting raw or user-supplied elliptic curve points
- Prefer high-level cryptographic APIs over low-level primitives
- Enforce strict key and signature encoding validation
- Add cryptographic regression tests for edge-case inputs
Final Takeaway
CVE-2025-15444 is not a loud vulnerability, but it is a serious cryptographic correctness issue. It mainly affects advanced or custom cryptographic use cases, but when triggered, it can quietly undermine security guarantees that systems rely on.
Upgrading to Crypt::Sodium::XS 0.000042 is the definitive fix and should be treated as mandatory for any security-sensitive deployment.
