CVE-2025-46553 LOW

CVE-2025-46553: @misskey-dev/summaly Redirect Filter Bypass

Vendor Misskey-Dev
Product summaly
Weakness CWE-693
Published May 5, 2025
Last update May 5, 2025

CVSS base score

2.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P

What the vulnerability does

01Description

@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects, despite explicitly requesting not to. Version 5.2.1 contains a patch for the issue.

Key dates

02Disclosure timeline

May 5, 2025 CVE published
May 5, 2025 Record updated