CVE-2025-62820: Slack Nebula may accept arbitrary source IP addresses

October 23, 2025

Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.

References

github.com/advisories/GHSA-x6fh-7qmf-69xh
github.com/slackhq/nebula
github.com/slackhq/nebula/commit/e264a0ff888c7bf0568579306755a60fc42f6ecc
github.com/slackhq/nebula/pull/1493
github.com/slackhq/nebula/pull/1494
nvd.nist.gov/vuln/detail/CVE-2025-62820

Code Behaviors & Features

Detect and mitigate CVE-2025-62820 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →