stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation
📋 Description
Impact
Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and explicitly disabled mTLS while binding the node to a non-loopback URL.
Patches
Patched in 0.9.0a2. The node now refuses this configuration unless insecure federation is limited to loopback-only local development.
Workarounds
Before upgrading, operators should enable mTLS for federation or ensure federation endpoints are bound only to loopback/private test environments and are not reachable by untrusted networks.
Upgrade
Upgrade to the patched release:
pip install --upgrade --pre stigmem-node
If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:
pip install --upgrade --pre 'stigmem[node]'
Resources
- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
🎯 Affected products1
- pip/stigmem-node:< 0.9.0a2