{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-15444","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-01-03T22:06:02.639Z","datePublished":"2026-01-06T00:22:50.114Z","dateUpdated":"2026-01-06T19:01:27.678Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","packageName":"Crypt-Sodium-XS","product":"Crypt::Sodium::XS","vendor":"IAMB","versions":[{"lessThan":"0.000042","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Crypt::Sodium::XS module versions prior to&nbsp;0.000042,&nbsp;for Perl, include a vulnerable version of libsodium<br><br>libsodium &lt;= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cve.org/CVERecord?id=CVE-2025-69277\">https://www.cve.org/CVERecord?id=CVE-2025-69277</a>.<br><br>The libsodium vulnerability states:<br><br>In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.<br><br>0.000042 includes a version of&nbsp;libsodium updated to 1.0.20-stable, <span style=\"background-color: rgb(255, 255, 255);\">released January 3, 2026, which includes a fix for the vulnerability.</span><br>"}],"value":"Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium\n\nlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://www.cve.org/CVERecord?id=CVE-2025-69277 .\n\nThe libsodium vulnerability states:\n\nIn atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.\n\n0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1395","description":"CWE-1395 Dependency on Vulnerable Third-Party Component","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-01-06T00:22:50.114Z"},"references":[{"url":"https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae"},{"url":"https://00f.net/2025/12/30/libsodium-vulnerability/"},{"tags":["release-notes"],"url":"https://metacpan.org/dist/Crypt-Sodium-XS/changes"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Upgrade to version&nbsp;0.000042 or later"}],"value":"Upgrade to version 0.000042 or later"}],"source":{"discovery":"UPSTREAM"},"title":"Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-01-06T14:23:55.371687Z","id":"CVE-2025-15444","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-06T19:01:27.678Z"}}]}}