CVE-2020-15134

Name of the Vulnerable Software and Affected Versions Faye versions prior to 1.4.0

Description The issue is related to a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket, which rely on the EM::Connection#start tls method in EventMachine. This method does not implement certificate verification by default, making any https: or wss: connection vulnerable to a man-in-the-middle attack. The first request a Faye client makes is sent via normal HTTP, but later messages may be sent via WebSocket, making it vulnerable to the same problem. This issue is fixed in Faye v1.4.0, which enables verification by default.

Recommendations For versions prior to 1.4.0, update to Faye v1.4.0 to enable verification by default. As a temporary workaround, consider configuring the tls option to verify peers, for example, in Ruby: client = Faye::Client.new('https://example.com/', tls: { verify peer: true }) or in Node.js: var client = new faye.Client('https://example.com/', { tls: { ca: fs.readFileSync('path/to/certificate.pem') } });. If you need to talk to servers whose certificates are not recognised by your default root certificates, add its certificate to your system's root set.