faye-websocket is a Standards-compliant WebSocket server and client.
Affected versions of this package are vulnerable to Improper Certificate Validation in TLS handshakes. The
Faye::WebSocket::Client class uses the
EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a
wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname.
faye-websocket to version 0.11.0 or higher.