-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a logic error where the allowRedirects option (internally named followRedirects) is not correctly passed down through the function call chain, leading to unintended URL redirects. The analysis focused on identifying functions where this option was missing before the patch and added by the patch.
summaly (in src/index.ts): This is the main function identified in the vulnerability description as having the logic error. It failed to include opts.followRedirects in the scrapingOptions it created. This is the root cause.general (in src/general.ts): This function, often acting as a default handler, receives options from summaly. It was patched to correctly receive and pass on the followRedirects option to its own scraping calls. Its previous failure to do so (because it wasn't receiving it) contributed to the vulnerability.getResponse (in src/utils/got.ts): This function makes the actual HTTP request. It was patched to use the followRedirects option to configure the got HTTP client. Before the patch, this option would be undefined, causing got to default to following redirects, which is the manifestation of the vulnerability.
These three functions are directly in the control flow for handling URLs and their redirect behavior, and the patch modifies them to correctly respect the followRedirects option.| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @misskey-dev/summaly | npm | >= 3.0.1, < 5.2.1 | 5.2.1 |
JavaScriptJavaScript