|
| 1 | ++++ |
| 2 | +title = "A vulnerability in libsodium's validation of ed25519 elliptic curve points: You are likely not affected" |
| 3 | +date = 2025-12-21T12:40:00 |
| 4 | +updated = 2025-12-21T12:40:00 |
| 5 | +draft = false # Leave this as true so that it is not published |
| 6 | +template = "blog/page.html" |
| 7 | + |
| 8 | +[extra] |
| 9 | +lead = "Libsodium's author Frank Denis has found a missing check for validating elliptic curve points in a low-level function not exposed by libsodium-bindings" |
| 10 | ++++ |
| 11 | + |
| 12 | +On December 30th 2025, [Libsodium][Libsodium] author Frank Denis has published the existence of a vulnerability regarding a [missing validation of elliptic curve points for the `crypto_core_ed25519_is_valid_point` |
| 13 | +function](https://00f.net/2025/12/30/libsodium-vulnerability/) of the Ed25519 public signature API. Fortunately, the fallout is mitigated in great part by two factors: |
| 14 | + |
| 15 | +1. The [`libsodium-bindings`][libsodium-bindings] library does not export this low-level function; |
| 16 | +2. If you do not use this function directly, but instead keep on using the [`CryptoSign`][CryptoSign] high-level API, you are safe. |
| 17 | + |
| 18 | +## Affected versions |
| 19 | + |
| 20 | +If you still need to comply with an audit, know that you are bound to be marked as "vulnerable" if you use a released version lower or equal to 1.0.20, or a version of libsodium released before December 30, 2025 (date of the publication of this vulnerabilty). |
| 21 | + |
| 22 | +## Recommendations |
| 23 | + |
| 24 | +For finite field arithmetic, an advanced use-case of the C library, The Libsodium project advises to switch to [Ristretto255][Ristretto255], available since Libsodium 1.0.18. |
| 25 | +At this time, [libsodium-bindings][libsodium-bindings] does not export bindings to this particular API, although a contribution in this direction would be greatly appreciated if you or your |
| 26 | +organisation might depend on such operations. |
| 27 | + |
| 28 | +--- |
| 29 | + |
| 30 | +The Haskell Cryptography Group is affiliated with the [Haskell Foundation][Haskell Foundation]. [Get in touch](mailto:sponsorship@haskell.foundation) to see how you can best support our work. |
| 31 | + |
| 32 | +Please consider [sponsoring] the Libsodium project in order to ensure it can provide the best-in-class cryptographic safety for its end-users. |
| 33 | + |
| 34 | +[Libsodium]: https://libsodium.gitbook.io/doc |
| 35 | +[CryptoSign]: https://hackage-content.haskell.org/package/libsodium-bindings/docs/LibSodium-Bindings-CryptoSign.html |
| 36 | +[libsodium-bindings]: https://github.com/haskell-cryptography/libsodium-bindings/tree/main/libsodium-bindings |
| 37 | +[Ristretto255]: https://libsodium.gitbook.io/doc/advanced/point-arithmetic/ristretto |
| 38 | +[sponsoring]: https://opencollective.com/libsodium/contribute |
| 39 | +[Haskell Foundation]: https://haskell.foundation/ |
0 commit comments