{"url":"http://public2.vulnerablecode.io/api/packages/446466?format=json","purl":"pkg:gem/faye@0.8.4","type":"gem","namespace":"","name":"faye","version":"0.8.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.0","latest_non_vulnerable_version":"1.4.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41170?format=json","vulnerability_id":"VCID-4mph-1u7n-kffq","summary":"Missing TLS certificate verification\nFaye uses [em-http-request][6] and [faye-websocket][10] in the Ruby version of its client. Those libraries both use the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.\n\nThe first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Therefore it is vulnerable to the same problem that these underlying libraries are, and we needed both libraries to support TLS verification before Faye could claim to do the same. Your client would still be insecure if its initial HTTPS request was verified, but later WebSocket connections were not.\n\nThis has been a requested feature in EventMachine for many years now; see for example [#275][3], [#378][4], and [#814][5]. In June 2020, em-http-request published an [advisory][7] related to this problem and fixed it by [implementing TLS verification][8] in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for\nthe caller to implement it, called [`ssl_verify_peer`][9]. Based on this implementation, we have incorporated similar functionality into faye-websocket.\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave the `:verify_peer` option switched off by default. We have decided to _enable_ this option by default in Faye, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that all clients have TLS verification turned on by default. A client that is not carrying out verification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be \"working by accident\", rather than functionality that was actively supported, and it should be properly and explicitly supported instead.\n\nWe are releasing Faye v1.4.0, which enables verification by default and provides a way to opt out of it:\n\n```rb\nclient = Faye::Client.new('https://example.com/', tls: { verify_peer: false })\n```\n\nUnfortunately we can't offer an equivalent of the `:root_cert_file` option that has been added to faye-websocket, because em-http-request does not support it. If you need to talk to servers whose certificates are not recognised by your default root certificates, then you need to add its certificate (or another one that can verify it) to your system's root set.\n\nThe same functionality is now supported in the Node.js version, with a `tls` option whose values will be passed to the `https` and `tls` modules as appropriate when making connections. For example, you can provide your own CA certificate:\n\n```js\nvar client = new faye.Client('https://example.com/', {\n  tls: {\n    ca: fs.readFileSync('path/to/certificate.pem')\n  }\n});\n```\n\nFor further background information on this issue, please see [faye#524][12] and [faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel Morsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[11]: https://faye.jcoglan.com/\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15134","reference_id":"","reference_type":"","scores":[{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.30897","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15134"},{"reference_url":"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye"},{"reference_url":"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/","reference_id":"","reference_type":"","scores":[],"url":"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15134","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15134"},{"reference_url":"https://github.com/eventmachine/eventmachine/issues/275","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/eventmachine/eventmachine/issues/275"},{"reference_url":"https://github.com/eventmachine/eventmachine/issues/814","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/eventmachine/eventmachine/issues/814"},{"reference_url":"https://github.com/eventmachine/eventmachine/pull/378","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/eventmachine/eventmachine/pull/378"},{"reference_url":"https://github.com/faye/faye","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye"},{"reference_url":"https://github.com/faye/faye/issues/524","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye/issues/524"},{"reference_url":"https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9"},{"reference_url":"https://github.com/faye/faye-websocket-ruby/pull/129","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye-websocket-ruby/pull/129"},{"reference_url":"https://github.com/igrigorik/em-http-request/pull/340","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/igrigorik/em-http-request/pull/340"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-15134.yml","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-15134.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15134","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15134"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request"},{"reference_url":"https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer"},{"reference_url":"https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967063","reference_id":"967063","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967063"},{"reference_url":"https://github.com/advisories/GHSA-3q49-h8f9-9fr9","reference_id":"GHSA-3q49-h8f9-9fr9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3q49-h8f9-9fr9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74789?format=json","purl":"pkg:gem/faye@1.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.4.0"}],"aliases":["CVE-2020-15134","GHSA-3q49-h8f9-9fr9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4mph-1u7n-kffq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39480?format=json","vulnerability_id":"VCID-hvgf-j7pt-9qgs","summary":"Authentication and extension bypass in Faye\nOn 20 April 2020 it was reported to me that the potential for authentication bypass exists in [Faye][1]'s extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.\n\nThe vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye [extension docs][2] suggest that users implement access control for subscriptions by checking incoming messages for the `/meta/subscribe` channel, for example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel === '/meta/subscribe') {\n      if (message.ext.authToken !== 'my super secret password') {\n        message.error = 'Invalid auth token';\n      }\n    }\n    callback(message);\n  }\n});\n```\n\nA bug in the server's code for recognising the special `/meta/*` channels, which trigger connection and subscription events, means that a client can bypass this check by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`:\n\n```json\n{\n  \"channel\": \"/meta/subscribe/x\",\n  \"clientId\": \"3jrc6602npj4gyp6bn5ap2wqzjtb2q3\",\n  \"subscription\": \"/foo\"\n}\n```\n\nThis message will not be checked by the above extension, as it checks the message's channel is exactly equal to `/meta/subscribe`. But it will still be processed as a subscription request by the server, so the client becomes subscribed to the channel `/foo` without supplying the necessary credentials.\n\nThe vulnerability is caused by the way the Faye server recognises meta channels. It will treat a message to any channel that's a prefix-match for one of the special channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`, `/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for that channel. So, a message to `/meta/subscribe/x` is still processed as a subscription request, for example.\n\nAn authentication bypass for subscription requests is the most serious effect of this but all other meta channels are susceptible to similar manipulation.\n\nThis parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. These should be drop-in replacements for prior versions and you should upgrade immediately if you are running any prior version.\n\nIf you are unable to install one of these versions, you can make your extensions catch all messages the server would process by checking the channel _begins_ with the expected channel name, for example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel.startsWith('/meta/subscribe')) {\n      // authentication logic\n    }\n    callback(message);\n  }\n});\n```\n\n[1]: https://faye.jcoglan.com/\n[2]: https://faye.jcoglan.com/node/extensions.html","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11020","reference_id":"","reference_type":"","scores":[{"value":"0.00365","scoring_system":"epss","scoring_elements":"0.58741","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11020"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11020","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11020"},{"reference_url":"https://github.com/faye/faye","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye"},{"reference_url":"https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"},{"reference_url":"https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-11020.yml","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-11020.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11020","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11020"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959392","reference_id":"959392","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959392"},{"reference_url":"https://github.com/advisories/GHSA-qpg4-4w7w-2mq5","reference_id":"GHSA-qpg4-4w7w-2mq5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpg4-4w7w-2mq5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73312?format=json","purl":"pkg:gem/faye@1.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4mph-1u7n-kffq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/73313?format=json","purl":"pkg:gem/faye@1.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4mph-1u7n-kffq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/73314?format=json","purl":"pkg:gem/faye@1.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4mph-1u7n-kffq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.5"}],"aliases":["CVE-2020-11020","GHSA-qpg4-4w7w-2mq5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hvgf-j7pt-9qgs"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.4"}