A vulnerability in libsodium's validation of ed25519 elliptic curve points: You are likely not affected

Libsodium's author Frank Denis has found a missing check for validating elliptic curve points in a low-level function not exposed by libsodium-bindings

On December 30th 2025, Libsodium author Frank Denis has published the existence of a vulnerability regarding a missing validation of elliptic curve points for the crypto_core_ed25519_is_valid_point function of the Ed25519 public signature API. Fortunately, the fallout is mitigated in great part by two factors:

1. The libsodium-bindings library does not export this low-level function;
2. If you do not use this function directly, but instead keep on using the CryptoSign high-level API, you are safe.

Affected versions

If you still need to comply with an audit, know that you are bound to be marked as "vulnerable" if you use a released version lower or equal to 1.0.20, or a version of libsodium released before December 30, 2025 (date of the publication of this vulnerabilty).

Recommendations

For finite field arithmetic, an advanced use-case of the C library, The Libsodium project advises to switch to Ristretto255, available since Libsodium 1.0.18. At this time, libsodium-bindings does not export bindings to this particular API, although a contribution in this direction would be greatly appreciated if you or your organisation might depend on such operations.

The Haskell Cryptography Group is affiliated with the Haskell Foundation. Get in touch to see how you can best support our work.

Please consider sponsoring the Libsodium project in order to ensure it can provide the best-in-class cryptographic safety for its end-users.