CVE-2025-62820: 
Nebula vulnerability analysis and mitigation

Slack Nebula before version 1.9.7 contains a vulnerability where it mishandles CIDR in some configurations, allowing acceptance of arbitrary source IP addresses within the Nebula network. The vulnerability was discovered on October 7, 2025, and was disclosed on October 23, 2025. This issue affects Slack Nebula versions 1.9.4 and later up to version 1.9.7 (Miggo Database, NVD).

The vulnerability stems from an improper CIDR construction in the hostmap.go file. The bug was introduced when the code was changed to add the entire network instead of only the IP specified in the certificate. The issue specifically occurs when using the incorrect Mask.Size() instead of addr's BitLen() for CIDR construction. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L (Miggo Database).

If exploited, this vulnerability allows an attacker who has control of or has compromised a node with a certificate that matches specific requirements to perform IP spoofing within the Nebula network. The attacker could send traffic impersonating another node, enabling them to send arbitrary UDP packets to services or disrupt traffic by sending TCP RST packets (GitHub PR 1493).

The vulnerability has been fixed in Slack Nebula version 1.9.7. The fix involves correcting the CIDR construction in hostmap.go by using addr's BitLen() instead of Mask.Size(). Users are advised to upgrade to version 1.9.7 or later to address this security issue (GitHub PR 1494).