x/vulndb: potential Go vuln in github.com/slackhq/nebula: GHSA-x6fh-7qmf-69xh #4068
Description
Advisory GHSA-x6fh-7qmf-69xh references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/slackhq/nebula |
Description:
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
References:
- ADVISORY: GHSA-x6fh-7qmf-69xh
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-62820
- FIX: slackhq/nebula@e264a0f
- FIX: Fix incorrect CIDR construction in hostmap slackhq/nebula#1493
- FIX: Fix
HostInfo.remoteCidrbeing too permissive with vpn addresses slackhq/nebula#1494
Cross references:
- github.com/slackhq/nebula appears in 1 other report(s):
- data/excluded/GO-2023-2269.yaml (x/vulndb: potential Go vuln in github.com/slackhq/nebula: CVE-2020-11498 #2269) LEGACY_FALSE_POSITIVE
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/slackhq/nebula
versions:
- introduced: 1.9.4
- fixed: 1.9.7
vulnerable_at: 1.9.6
summary: Slack Nebula may accept arbitrary source IP addresses in github.com/slackhq/nebula
cves:
- CVE-2025-62820
ghsas:
- GHSA-x6fh-7qmf-69xh
references:
- advisory: https://github.com/advisories/GHSA-x6fh-7qmf-69xh
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-62820
- fix: https://github.com/slackhq/nebula/commit/e264a0ff888c7bf0568579306755a60fc42f6ecc
- fix: https://github.com/slackhq/nebula/pull/1493
- fix: https://github.com/slackhq/nebula/pull/1494
source:
id: GHSA-x6fh-7qmf-69xh
created: 2025-10-23T17:01:20.636010857Z
review_status: UNREVIEWED