December 30, 2025
Valid? Not even your ex
A Vulnerability in Libsodium
Beloved crypto library misses a tiny check, fans split between panic and praise
TLDR: Libsodium’s point-validation function missed a key check, letting some invalid math points pass as “okay.” Commenters swing from calm praise to audit mode: PHP bindings are affected, devs are reviewing other libraries, and many call to sponsor maintainer Frank Denis to keep this crucial tool rock‑solid.
Libsodium, the “make crypto simple” library, just stubbed its toe: a tiny missing check let some bad points sneak past a “is this valid?” gate. The dev owns it, explains the math playground, and the crowd goes wild. Some cheer, some clutch pearls, many crack jokes. Zero CVEs in 13 years? Now it’s “zero drama-free weeks.”
The alarm bell rang loudest with CiPHPerCoder: “This also affected the PHP library, sodium_compat,” and they vowed to spend the night auditing every Ed25519 (a popular signing scheme) implementation they can find. Meanwhile, runtimepanic warned this “subtle but important bug” shows “is valid” is never simple. In the feel‑good corner, gafferongames tossed a rose—“Such a great library”—while theLiminator rallied: “Big companies, sponsor Frank!”
Then came the curve hipsters: proof_by_vibes is vibing hard on Ristretto (a safer way to use the same math), saying they’ve been having “a blast” building with it—cue calls to switch more apps to it. Jokes flew: “Is valid? Not even my ex,” and “Edwards25519 is a playground with the wrong kids sneaking in.” The mood: respect for the transparency, mild panic audits, and a chorus to pay the maintainer. Also: debate over low-level knobs vs safety.
Key Points
- •Libsodium’s maintainer discovered a bug in crypto_core_ed25519_is_valid_point() during batch signature experiments.
- •The function intended to verify that a point lies in Edwards25519’s main subgroup (order L) by multiplying the point by L.
- •Identity detection after multiplication was incomplete: the code checked only X = 0, but omitted verifying Y = Z in projective coordinates.
- •The flaw allowed some mixed-order points to be incorrectly accepted as valid, though small-order points were properly rejected.
- •The discrepancy was noticed when comparing with Zig code, where the necessary check was present, highlighting a missing validation in libsodium.