Skip to content

fix: paragonie/sodium_compat - Missing check that a point is on the prime subgroup for Edwards25519 #18391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
joelpittet wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: paragonie/sodium_compat - Missing check that a point is on the prime subgroup for Edwards25519 #18391

joelpittet wants to merge 1 commit into from
+7 −7

Conversation

@joelpittet
Copy link
Contributor

@joelpittet joelpittet commented Jan 2, 2026
edited
Loading

I saw some other PRs tackling the onelogin/php-saml #18380

This one only targets

+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          |                                                                                  |
| Advisory ID       | PKSA-8x19-j2j3-bn67                                                              |
| CVE               | NO CVE                                                                           |
| Title             | Missing check that a point is on the prime subgroup for Edwards25519             |
| URL               | https://00f.net/2025/12/30/libsodium-vulnerability                               |
| Affected versions | >=2,<2.5.0|<1.24.0                                                               |
| Reported at       | 2025-12-30T00:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

~/Contrib/snipe-it develop 6s                                                                                                                                       13:49:08
❯ composer audit
Found 4 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | aws/aws-sdk-php                                                                  |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-dxyf-6n16-t87m                                                              |
| CVE               | CVE-2025-14761                                                                   |
| Title             | Key Commitment Issues in S3 Encryption Clients                                   |
| URL               | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/                 |
| Affected versions | >=3.0.0,<3.368.0                                                                 |
| Reported at       | 2025-12-17T20:15:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | onelogin/php-saml                                                                |
| Severity          | critical                                                                         |
| Advisory ID       | PKSA-67d7-mg8j-87zx                                                              |
| CVE               | NO CVE                                                                           |
| Title             |  SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475                     |
| URL               | https://github.com/advisories/GHSA-5j8p-438x-rgg5                                |
| Affected versions | >=4.0.0,<4.3.1|>=3.0.0,<3.8.1|<2.21.1                                            |
| Reported at       | 2025-12-09T17:24:09+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | paragonie/sodium_compat                                                          |
| Severity          |                                                                                  |
| Advisory ID       | PKSA-8x19-j2j3-bn67                                                              |
| CVE               | NO CVE                                                                           |
| Title             | Missing check that a point is on the prime subgroup for Edwards25519             |
| URL               | https://00f.net/2025/12/30/libsodium-vulnerability                               |
| Affected versions | >=2,<2.5.0|<1.24.0                                                               |
| Reported at       | 2025-12-30T00:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | robrichards/xmlseclibs                                                           |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-pcdf-qvqm-w4tv                                                              |
| CVE               | CVE-2025-66578                                                                   |
| Title             | robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass    |
|                   | Digest/Signature validation                                                      |
| URL               | https://github.com/advisories/GHSA-c4cc-x928-vjw9                                |
| Affected versions | <=3.1.3                                                                          |
| Reported at       | 2025-12-08T17:57:33+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

@joelpittet joelpittet requested a review from snipe as a code owner January 2, 2026 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snipe snipe Awaiting requested review from snipe snipe is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joelpittet