CVE-2025-46553

Summary

@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects, despite explicitly requesting not to. Version 5.2.1 contains a patch for the issue.

Affected Software

VendorProductVersion RangeStatus
misskey-devsummaly>= 3.0.1, < 5.2.1affected

Weaknesses

  • CWE-693: CWE-693: Protection Mechanism Failure
  • CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • CWE-665: CWE-665: Improper Initialization
  • CWE-669: CWE-669: Incorrect Resource Transfer Between Spheres

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References