Session only uses 128 bits of entropy for Ed25519 keys. This means their ECDLP is at most 64 bits, which is pretty reasonably in the realm of possibility for nation state attackers to exploit.
Session has an Ed25519 verification algorithm that verifies a signature for a message against a public key provided by the message. This is amateur hour.
Session uses an X25519 public key as the symmetric key for AES-GCM as part of their encryption for onion routing.
Additional gripes about their source code were also included in the blog post.
TL;DR from oss-security: