Is there a bug in pynacl 2?

libsodium has Incomplete List of Disallowed Inputs libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory lists packages in the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database?tab=readme-ov-file#supported-ecosystems) that are affected by this vulnerability due to a vulnerable dependency. Fixed in pynacl 2.5.0.

This package has limited bug data (1 entry). Check back later or see the package health page for the full signal.

pynacl known bugs

pypi

1 known bug in pynacl, with affected versions, fixes and workarounds. Sourced from upstream issue trackers.

View package health \u2192 Breaking changes \u2192

bugs

Known bugs

Severity	Affected	Fixed in	Title	Status	Source
medium	2	2.5.0	libsodium has Incomplete List of Disallowed Inputs libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory lists packages in the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database?tab=readme-ov-file#supported-ecosystems) that are affected by this vulnerability due to a vulnerable dependency.	fixed	osv:GHSA-mrfv-m5wm-5w6w

API access

Get this data programmatically \u2014 free, no authentication.

curl https://depscope.dev/api/bugs/pypi/pynacl