Active Debug Code Affecting stigmem-node package, versions [,0.9.0a2)


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-STIGMEMNODE-17661124
  • published28 Jun 2026
  • disclosed29 May 2026
  • creditUnknown

Introduced: 29 May 2026

CVE NOT AVAILABLE CWE-319  (opens in a new tab)
CWE-489  (opens in a new tab)

How to fix?

Upgrade stigmem-node to version 0.9.0a2 or higher.

Overview

stigmem-node is a Stigmem reference node — single-host production implementation

Affected versions of this package are vulnerable to Active Debug Code in the federation process when mTLS is explicitly disabled and the node is bound to a non-loopback URL. An attacker can intercept sensitive federation traffic by performing a network man-in-the-middle attack. This is only exploitable if federation is enabled, mTLS is disabled, and the node is configured to listen on a non-loopback interface.

Workaround

This vulnerability can be mitigated by enabling mTLS for federation or ensuring federation endpoints are only bound to loopback/private test environments and are not accessible from untrusted networks.

References

CVSS Base Scores

version 4.0
version 3.1