GHSA-xh5j-xjfq-qvvx: stigmem-node's federation peer token timestamp validation may reject valid peer tokens

May 29, 2026

A mismatch in federation peer-token timestamp handling could cause valid peer tokens to be treated as expired. Impacted deployments are Stigmem nodes using federation peer authentication paths from affected versions. The primary impact is availability and reliability of authenticated federation flows.

References

github.com/advisories/GHSA-xh5j-xjfq-qvvx
github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md
github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
github.com/eidetic-labs/stigmem/security/advisories/GHSA-xh5j-xjfq-qvvx

Code Behaviors & Features

Detect and mitigate GHSA-xh5j-xjfq-qvvx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →