CVE-2025-46553: @misskey-dev/summaly Redirect Filter Bypass
2.1
CVSS Score
4.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29433%
CWE
Published
5/5/2025
Updated
5/5/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @misskey-dev/summaly | npm | >= 3.0.1, < 5.2.1 | 5.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a logic error where the allowRedirects option (internally named followRedirects) is not correctly passed down through the function call chain, leading to unintended URL redirects. The analysis focused on identifying functions where this option was missing before the patch and added by the patch.
summaly(insrc/index.ts): This is the main function identified in the vulnerability description as having the logic error. It failed to includeopts.followRedirectsin thescrapingOptionsit created. This is the root cause.general(insrc/general.ts): This function, often acting as a default handler, receives options fromsummaly. It was patched to correctly receive and pass on thefollowRedirectsoption to its own scraping calls. Its previous failure to do so (because it wasn't receiving it) contributed to the vulnerability.getResponse(insrc/utils/got.ts): This function makes the actual HTTP request. It was patched to use thefollowRedirectsoption to configure thegotHTTP client. Before the patch, this option would be undefined, causinggotto default to following redirects, which is the manifestation of the vulnerability. These three functions are directly in the control flow for handling URLs and their redirect behavior, and the patch modifies them to correctly respect thefollowRedirectsoption.