faye is a simple pub/sub messaging for the web.
Affected versions of this package are vulnerable to Improper Access Control. The Server parses channels in a way that means any channel namespaced under
/meta/subscribe will also work as a subscription request. For example if the client sends a message to the channel
/meta/subscribe/x, that will bypass most authentication extensions but will still be interpreted by the server as a subscription request, and the client will be subscribed to the requested channel. The client has thus bypassed the user's access control policy.
faye to version 1.0.4, 1.1.3, 1.2.5 or higher.