CVE-2025-46553
2.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P
Summary
@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects, despite explicitly requesting not to. Version 5.2.1 contains a patch for the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| misskey-dev | summaly | >= 3.0.1, < 5.2.1 | affected |
Weaknesses
- CWE-693: CWE-693: Protection Mechanism Failure
- CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- CWE-665: CWE-665: Improper Initialization
- CWE-669: CWE-669: Incorrect Resource Transfer Between Spheres
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/misskey-dev/summaly/security/advisories/GHSA-7899-w6c4-vqc4
- https://github.com/misskey-dev/summaly/commit/45153b4f08a772c395a13f7a25399dd87ed022ed
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.