Skip to content

[blog] Blog post on the Libsodium vulnerability regarding edd25519 point validation #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kleidukos merged 1 commit into from
Dec 31, 2025
Merged

[blog] Blog post on the Libsodium vulnerability regarding edd25519 point validation #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions content/blog/libsodium-vulnerability-ed25519-valid-points.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
+++
title = "A vulnerability in libsodium's validation of ed25519 elliptic curve points: You are likely not affected"
date = 2025-12-21T12:40:00
updated = 2025-12-21T12:40:00
draft = false # Leave this as true so that it is not published
template = "blog/page.html"

[extra]
lead = "Libsodium's author Frank Denis has found a missing check for validating elliptic curve points in a low-level function not exposed by libsodium-bindings"
+++

On December 30th 2025, [Libsodium][Libsodium] author Frank Denis has published the existence of a vulnerability regarding a [missing validation of elliptic curve points for the `crypto_core_ed25519_is_valid_point`
function](https://00f.net/2025/12/30/libsodium-vulnerability/) of the Ed25519 public signature API. Fortunately, the fallout is mitigated in great part by two factors:

1. The [`libsodium-bindings`][libsodium-bindings] library does not export this low-level function;
2. If you do not use this function directly, but instead keep on using the [`CryptoSign`][CryptoSign] high-level API, you are safe.

## Affected versions

If you still need to comply with an audit, know that you are bound to be marked as "vulnerable" if you use a released version lower or equal to 1.0.20, or a version of libsodium released before December 30, 2025 (date of the publication of this vulnerabilty).

## Recommendations

For finite field arithmetic, an advanced use-case of the C library, The Libsodium project advises to switch to [Ristretto255][Ristretto255], available since Libsodium 1.0.18.
At this time, [libsodium-bindings][libsodium-bindings] does not export bindings to this particular API, although a contribution in this direction would be greatly appreciated if you or your
organisation might depend on such operations.

---

The Haskell Cryptography Group is affiliated with the [Haskell Foundation][Haskell Foundation]. [Get in touch](mailto:sponsorship@haskell.foundation) to see how you can best support our work.

Please consider [sponsoring] the Libsodium project in order to ensure it can provide the best-in-class cryptographic safety for its end-users.

[Libsodium]: https://libsodium.gitbook.io/doc
[CryptoSign]: https://hackage-content.haskell.org/package/libsodium-bindings/docs/LibSodium-Bindings-CryptoSign.html
[libsodium-bindings]: https://github.com/haskell-cryptography/libsodium-bindings/tree/main/libsodium-bindings
[Ristretto255]: https://libsodium.gitbook.io/doc/advanced/point-arithmetic/ristretto
[sponsoring]: https://opencollective.com/libsodium/contribute
[Haskell Foundation]: https://haskell.foundation/