GHSA-fp6w-8wpg-74g5CriticalDisclosed before NVD
stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback
📋 Description
Impact
Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node to a non-loopback URL.
Patches
Patched in 0.9.0a2. The node now refuses unauthenticated operation outside loopback-only local development.
Workarounds
Before upgrading, keep authentication enabled for all non-local deployments and do not expose nodes with authentication disabled to untrusted networks.
Upgrade
Upgrade to the patched release:
pip install --upgrade --pre stigmem-node
If developers install through the Stigmem meta-package instead, they should use the matching extra for their deployments, for example:
pip install --upgrade --pre 'stigmem[node]'
Resources
- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
🎯 Affected products1
- pip/stigmem-node:< 0.9.0a2
🔗 References (5)
- https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-fp6w-8wpg-74g5
- https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
- https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
- https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
- https://github.com/advisories/GHSA-fp6w-8wpg-74g5