GHSA-w7pm-9g55-mxfm: stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment

May 29, 2026

A single configuration flag could disable plugin signature enforcement. If an operator unintentionally carried that setting into an environment where plugin paths are writable by less-trusted users, unsigned plugin code could be loaded.

References

github.com/advisories/GHSA-w7pm-9g55-mxfm
github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md
github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
github.com/eidetic-labs/stigmem/security/advisories/GHSA-w7pm-9g55-mxfm

Code Behaviors & Features

Detect and mitigate GHSA-w7pm-9g55-mxfm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →