AIKIDO-2025-11010
paragonie/sodium_compat is vulnerable to Incomplete List of Disallowed Inputs
45
Medium Risk
This Affects:
paragonie/sodium_compatTL;DR
Affected versions of this package are vulnerable to improper validation of Ed25519 elliptic-curve points due to a flaw in crypto_core_ed25519_is_valid_point(), which fails to correctly reject certain invalid inputs. This can lead to incorrect behavior in applications that directly rely on this low-level function with untrusted data. High-level cryptographic APIs are not impacted.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
paragonie/sodium_compat is vulnerable to Incomplete List of Disallowed Inputs in versions 0.0.1 - 1.23.0 and 2.0.0 - 2.4.0.
How to fix this
Upgrade the paragonie/sodium_compat library to the patch version.
Links
GitHub Release
Fix Commits
github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1baegithub.com/pyca/pynacl/commit/96314884d88d1089ff5f336dba61d7abbcddbbf7github.com/pyca/pynacl/commit/ecf41f55a3d8f1e10ce89c61c4b4d67f3f4467cfOther
00f.net/2025/12/30/libsodium-vulnerability/ianix.com/pub/ed25519-deployment.htmlnews.ycombinator.com/item?id=46435614lists.debian.org/debian-lts-announce/2026/01/msg00004.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant