2.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-46553

GHSA ID

GHSA-7899-w6c4-vqc4

EPSS Score

0.29433%

CWE

CWE-601

Published

5/5/2025

Updated

5/5/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46553

CVE-2025-46553: @misskey-dev/summaly Redirect Filter Bypass

Summary

A logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced.

Details

In the main summaly function, a new scrapingOptions object is created and passed to either the matched plugin, if any, or the default summarize function. The issue here is that the new scrapingOptions object is not provided the allowRedirects property of opts.

PoC

Publish a post containing a link to any URL that redirects on Misskey.
A preview will be generated for the target of the redirect, despite Misskey passing allowRedirects: false.

Impact

Misskey will follow redirects, despite explicitly requesting not to.

(GitHub Advisory)

2.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-46553

GHSA ID

GHSA-7899-w6c4-vqc4

EPSS Score

0.29433%

CWE

CWE-601

Published

5/5/2025

Updated

5/5/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@misskey-dev/summaly	npm	>= 3.0.1, < 5.2.1	5.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a logic error where the allowRedirects option (internally named followRedirects) is not correctly passed down through the function call chain, leading to unintended URL redirects. The analysis focused on identifying functions where this option was missing before the patch and added by the patch.

summaly (in src/index.ts): This is the main function identified in the vulnerability description as having the logic error. It failed to include opts.followRedirects in the scrapingOptions it created. This is the root cause.
general (in src/general.ts): This function, often acting as a default handler, receives options from summaly. It was patched to correctly receive and pass on the followRedirects option to its own scraping calls. Its previous failure to do so (because it wasn't receiving it) contributed to the vulnerability.
getResponse (in src/utils/got.ts): This function makes the actual HTTP request. It was patched to use the followRedirects option to configure the got HTTP client. Before the patch, this option would be undefined, causing got to default to following redirects, which is the manifestation of the vulnerability. These three functions are directly in the control flow for handling URLs and their redirect behavior, and the patch modifies them to correctly respect the followRedirects option.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * lo*i* *rror in t** m*in `summ*ly` *un*tion **us*s t** `*llowR**ir**ts` option to n*v*r ** p*ss** to *ny plu*ins, *n* *s * r*sult, isn't *n*or***. ### **t*ils In t** m*in `summ*ly` *un*tion, * n*w `s*r*pin*Options` o*j**t is *r**t** *n*

Reasoning

T** vuln*r**ility is * lo*i* *rror w**r* t** `*llowR**ir**ts` option (int*rn*lly n*m** `*ollowR**ir**ts`) is not *orr**tly p*ss** *own t*rou** t** *un*tion **ll ***in, l***in* to unint*n*** URL r**ir**ts. T** *n*lysis *o*us** on i**nti*yin* *un*tions

2.1

Basic Information

Concerned about an active attack path?

CVE-2025-46553: @misskey-dev/summaly Redirect Filter Bypass

Summary

Details

PoC

Impact

2.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI