What Happened
A vulnerability was discovered in stigmem-node that allows deployments with authentication disabled to grant broad read/write/federation capabilities to anonymous users if exposed outside a loopback-only local development environment.
Who Is Affected
Operators who intentionally disabled authentication while binding the node to a non-loopback URL are impacted.
Severity & Impact
The severity of this vulnerability is rated at 9.2. Impacted deployments may allow unauthorized access and modifications.
Mitigation
To mitigate this vulnerability, users can either keep authentication enabled for all non-local deployments, not expose nodes with authentication disabled to untrusted networks, or upgrade to the patched release (0.9.0a2) using pip: pip install --upgrade --pre stigmem-node or pip install --upgrade --pre 'stigmem[node]' for Stigmem meta-package users.