Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/253700?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/253700?format=api", "purl": "pkg:npm/faye@0.6.4", "type": "npm", "namespace": "", "name": "faye", "version": "0.6.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.0.4", "latest_non_vulnerable_version": "1.2.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51625?format=api", "vulnerability_id": "VCID-t6zf-6pz1-4fhe", "summary": "Authentication and extension bypass in Faye\nOn 20 April 2020 it was reported to me that the potential for authentication\nbypass exists in [Faye][1]'s extension system. This vulnerability has existed in\nthe Node.js and Ruby versions of the server since version 0.5.0, when extensions\nwere first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and\n1.2.5, which we are releasing today.\n\nThe vulnerability allows any client to bypass checks put in place by server-side\nextensions, by appending extra segments to the message channel. For example, the\nFaye [extension docs][2] suggest that users implement access control for\nsubscriptions by checking incoming messages for the `/meta/subscribe` channel,\nfor example:\n\n```js\nserver.addExtension({\n incoming: function(message, callback) {\n if (message.channel === '/meta/subscribe') {\n if (message.ext.authToken !== 'my super secret password') {\n message.error = 'Invalid auth token';\n }\n }\n callback(message);\n }\n});\n```\n\nA bug in the server's code for recognising the special `/meta/*` channels, which\ntrigger connection and subscription events, means that a client can bypass this\ncheck by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`:\n\n```json\n{\n \"channel\": \"/meta/subscribe/x\",\n \"clientId\": \"3jrc6602npj4gyp6bn5ap2wqzjtb2q3\",\n \"subscription\": \"/foo\"\n}\n```\n\nThis message will not be checked by the above extension, as it checks the\nmessage's channel is exactly equal to `/meta/subscribe`. But it will still be\nprocessed as a subscription request by the server, so the client becomes\nsubscribed to the channel `/foo` without supplying the necessary credentials.\n\nThe vulnerability is caused by the way the Faye server recognises meta channels.\nIt will treat a message to any channel that's a prefix-match for one of the\nspecial channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`,\n`/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for\nthat channel. So, a message to `/meta/subscribe/x` is still processed as a\nsubscription request, for example.\n\nAn authentication bypass for subscription requests is the most serious effect of\nthis but all other meta channels are susceptible to similar manipulation.\n\nThis parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5.\nThese should be drop-in replacements for prior versions and you should upgrade\nimmediately if you are running any prior version.\n\nIf you are unable to install one of these versions, you can make your extensions\ncatch all messages the server would process by checking the channel _begins_\nwith the expected channel name, for example:\n\n```js\nserver.addExtension({\n incoming: function(message, callback) {\n if (message.channel.startsWith('/meta/subscribe')) {\n // authentication logic\n }\n callback(message);\n }\n});\n```\n\n[1]: https://faye.jcoglan.com/\n[2]: https://faye.jcoglan.com/node/extensions.html", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11020", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00365", "scoring_system": "epss", "scoring_elements": "0.58783", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00365", "scoring_system": "epss", "scoring_elements": "0.58829", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11020" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11020", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11020" }, { "reference_url": "https://github.com/faye/faye", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye" }, { "reference_url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e" }, { "reference_url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-11020.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-11020.yml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959392", "reference_id": "959392", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959392" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11020", "reference_id": "CVE-2020-11020", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11020" }, { "reference_url": "https://github.com/advisories/GHSA-qpg4-4w7w-2mq5", "reference_id": "GHSA-qpg4-4w7w-2mq5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qpg4-4w7w-2mq5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77188?format=api", "purl": "pkg:npm/faye@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/faye@1.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/77189?format=api", "purl": "pkg:npm/faye@1.1.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/faye@1.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/77190?format=api", "purl": "pkg:npm/faye@1.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/faye@1.2.5" } ], "aliases": [ "CVE-2020-11020", "GHSA-qpg4-4w7w-2mq5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t6zf-6pz1-4fhe" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/faye@0.6.4" }