Missing TLS certificate verification in Faye
Description
Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any https: or wss: connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. The first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Therefore it is vulnerable to the same problem that these underlying libraries are, and we needed both libraries to support TLS verification before Faye could claim to do the same. Your client would still be insecure if its initial HTTPS request was verified, but later WebSocket connections were not. This is fixed in Faye v1.4.0, which enables verification by default. For further background information on this issue, please see the referenced GitHub Advisory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Faye before v1.4.0 lacks TLS certificate verification in its Ruby client, enabling man-in-the-middle attacks on WebSocket and HTTPS connections.
CVE-2020-15134 describes a missing TLS certificate verification vulnerability in Faye, a WebSocket client library for Ruby, before version 1.4.0. The root cause is that Faye's Ruby client relies on EM::Connection#start_tls from EventMachine, which does not perform certificate validation by default. This lack of verification means that when a wss: or https: connection is made, the client does not confirm that the server presents a valid and trusted TLS certificate for the expected hostname [1][2].
To exploit this vulnerability, an attacker must be able to perform a man-in-the-middle (MITM) attack on the network path between the Faye client and the server. No authentication is required, as the attack is on the transport layer. The initial request from a Faye client uses plain HTTP, and subsequent messages may use WebSockets, meaning both the initial and future connections are vulnerable unless both em-http-request and faye-websocket implement verification [3][4].
The impact is that an attacker can intercept, read, or modify sensitive data transmitted over what should be a secure encrypted channel. This includes WebSocket messages and HTTPS traffic, potentially compromising the confidentiality and integrity of all communications [2][4].
Faye v1.4.0, released on 2020-07-31, fixes the issue by enabling TLS certificate verification by default in its faye-websocket library. Users are strongly advised to update to this version. For those using em-http-request, version 1.1.6 includes a fix but leaves verification off by default; users must enable the :verify_peer option in their code [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fayeRubyGems | < 1.4.0 | 1.4.0 |
Affected products
2- faye/fayev5Range: < 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-3q49-h8f9-9fr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15134ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-requestghsaADVISORY
- blog.jcoglan.com/2020/07/31/missing-tls-verification-in-fayeghsaWEB
- blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/mitrex_refsource_MISC
- github.com/eventmachine/eventmachine/issues/275ghsaWEB
- github.com/eventmachine/eventmachine/issues/814ghsaWEB
- github.com/eventmachine/eventmachine/pull/378ghsaWEB
- github.com/faye/faye-websocket-ruby/pull/129ghsaWEB
- github.com/faye/faye/issues/524ghsaWEB
- github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9ghsax_refsource_CONFIRMWEB
- github.com/igrigorik/em-http-request/pull/340ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-15134.ymlghsaWEB
- www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peerghsaWEB
- www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tlsghsaWEB
News mentions
0No linked articles in our index yet.