CVE-2025-15444 (Critical) detected in freebsd-srcrelease/15.0.0-p1

[mend-bolt-for-github]

CVE-2025-15444 - Critical Severity Vulnerability

Vulnerable Library - freebsd-srcrelease/15.0.0-p1

The FreeBSD src tree publish-only repository. Experimenting with 'simple' pull requests....

Library home page: https://github.com/freebsd/freebsd-src.git

Found in base branch: master

Vulnerable Source Files (1)

/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c

Vulnerability Details

Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium
libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://www.cve.org/CVERecord?id=CVE-2025-69277 .
The libsodium vulnerability states:
In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

Publish Date: 2026-01-06

URL: CVE-2025-15444

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://00f.net/2025/12/30/libsodium-vulnerability/

Release Date: 2026-01-06

Fix Resolution: https://github.com/jedisct1/libsodium.git - no_fix

---

Step up your Open Source Security Game with Mend here