CVE-2025-62820: 
Nebula vulnerability analysis and mitigation

Slack Nebula versions before 1.9.7 contain a vulnerability where the software mishandles CIDR in certain configurations, allowing acceptance of arbitrary source IP addresses within the Nebula network. The vulnerability was discovered in October 2025 and affects the network access control functionality of the software (Miggo Database).

The vulnerability stems from a flaw in the custom CIDR tree implementation (cidr.Tree4 and cidr.Tree6) used for IP-based access control in various components, including the firewall and allow lists. The issue was introduced when the code was changed to add the entire network instead of only the IP specified in the certificate. The vulnerability has been assigned a CVSS v3.1 score of 4.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L and is classified as CWE-420 (Unprotected Alternate Channel) (Miggo Database, NVD).

The vulnerability enables an attacker with control of a node (having a certificate with multiple IP addresses or a subnet routed through it) to perform IP spoofing within the Nebula network. This allows the attacker to send traffic impersonating another node, potentially leading to unauthorized UDP packet transmission or disruption of traffic through TCP RST packets (GitHub PR).

The vulnerability has been patched in Slack Nebula version 1.9.7. The fix involves replacing the custom CIDR implementation with a standard, well-tested library (github.com/gaissmai/bart) and migrating from net.IP to the more modern net/netip package. Users are advised to upgrade to version 1.9.7 or later to address this security issue (GitHub PR).