GHSA-jmfc-hfjq-pxcp: stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation

May 29, 2026

Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and explicitly disabled mTLS while binding the node to a non-loopback URL.

References

github.com/advisories/GHSA-jmfc-hfjq-pxcp
github.com/eidetic-labs/stigmem/security/advisories/GHSA-jmfc-hfjq-pxcp

Code Behaviors & Features

Detect and mitigate GHSA-jmfc-hfjq-pxcp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →