4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62820

GHSA ID

GHSA-x6fh-7qmf-69xh

EPSS Score

0.09617%

CWE

CWE-420

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62820

CVE-2025-62820: Slack Nebula may accept arbitrary source IP addresses

Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62820

GHSA ID

GHSA-x6fh-7qmf-69xh

EPSS Score

0.09617%

CWE

CWE-420

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/slackhq/nebula	go	>= 1.9.4, < 1.9.7	1.9.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in a custom CIDR tree implementation (cidr.Tree4 and cidr.Tree6) that was used for IP-based access control in various parts of Nebula, including the firewall and allow lists. This custom implementation had flaws that could be exploited to bypass access control checks, allowing packets from unauthorized source IP addresses to be processed as if they were legitimate. The provided patch replaces this bespoke, vulnerable code with a standard, well-tested library for CIDR matching (github.com/gaissmai/bart) and migrates from net.IP to the more modern and safer net/netip package. The vulnerable functions identified are the key access control decision points that relied on the flawed CIDR tree implementation. By exploiting the flaw in the underlying CIDR matching, an attacker could circumvent these checks.

Vulnerable functions

AllowList.Allow

allow_list.go

This function was responsible for checking if an IP address is present in the allow list. It used the vulnerable `MostSpecificContains` method from the custom CIDR tree implementation, which could be bypassed. An attacker could craft a source IP that would incorrectly pass this check.

Firewall.Drop

firewall.go

The `Drop` function in the firewall is a central point for packet filtering. It used the `Contains` method on a `cidr.Tree4` to validate that the source IP of a packet is allowed by the certificate of the remote host. A flaw in the `Contains` method could lead to bypass of this check, allowing packets from unauthorized source IPs.

FirewallRule.match

firewall.go

This function is used to match a packet against a specific firewall rule. It iterated through the CIDR rules using `EachContains`, which relied on the vulnerable CIDR tree traversal logic. A bypass of this matching logic would allow a packet to be considered as matching a rule when it should not, or vice-versa, leading to incorrect firewall behavior.

WAF Protection Rules

WAF Rule

Sl**k N**ul* ***or* *.*.* mis**n*l*s *I*R in som* *on*i*ur*tions *n* t*us ****pts *r*itr*ry sour** IP ***r*ss*s wit*in t** N**ul* n*twork.

Reasoning

T** vuln*r**ility li*s in * *ustom *I*R tr** impl*m*nt*tion (`*i*r.Tr***` *n* `*i*r.Tr***`) t**t w*s us** *or IP-**s** ****ss *ontrol in v*rious p*rts o* N**ul*, in*lu*in* t** *ir*w*ll *n* *llow lists. T*is *ustom impl*m*nt*tion *** *l*ws t**t *oul*

4.9

Basic Information

Concerned about an active attack path?

CVE-2025-62820: Slack Nebula may accept arbitrary source IP addresses

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI