CVE-2025-46553

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-46553

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46553.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-46553

Aliases

GHSA-7899-w6c4-vqc4

Published

2025-05-05T18:28:50.216Z

Modified

2026-04-02T12:48:34.524134Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P CVSS Calculator

Summary

@misskey-dev/summaly Redirect Filter Bypass

Details

@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects, despite explicitly requesting not to. Version 5.2.1 contains a patch for the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46553.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601",
        "CWE-665",
        "CWE-669",
        "CWE-693"
    ]
}

References

Affected packages

Git / github.com/misskey-dev/summaly

Affected ranges

Type: GIT
Repo: https://github.com/misskey-dev/summaly
Events: Introduced

3c7c3c8aa715bc2fd79c319af226c0e923ce29b4

Fixed

56e1137113846edd1ef8ea961a7e3333900ad891

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0

5.2.0

v3.*

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v4.*

v4.0.0

v4.0.1

v4.0.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46553.json"