CVE-2025-59824: Omni Wireguard SideroLink potential escape

September 24, 2025 (updated September 26, 2025)

This vulnerability creates two distinct attack scenarios based on Omni’s IP forwarding configuration.

IP Forwarding Disabled (Default) If IP forwarding is disabled, an attacker on a Talos machine can send packets over SideroLink to any listening service on Omni itself (e.g., an internal API). If Omni is running in host networking mode, any service on the host machine could also be targeted. While this is the default configuration, Omni does not enforce it.
IP Forwarding Enabled If IP forwarding is enabled, an attacker on a Talos machine can communicate with other machines connected to Omni or route packets deeper into Omni’s network. Although this is not the default configuration, Omni does not check for or prevent this state.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-59824 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →