Incomplete List of Disallowed Inputs

CVE-2025-69277

Medium

4.5/10

Summary

libsodium in atypical use cases involving certain custom cryptography or untrusted data to "crypto_core_ed25519_is_valid_point()", mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This affects libsodium versions prior to 1.8.0-FINAL. Also, this affects PyNACl versions prior to 1.6.2, hdwallet versions prior to 3.6.1, package paragonie/sodium_compat versions prior to 1.24.0 and 2.x prior to 2.5.0.

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-184 - Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

References

Advisory Timeline

Published Dec 31, 2025

Incomplete List of Disallowed Inputs

CVE-2025-69277

Summary

CWE-184 - Incomplete List of Disallowed Inputs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS