GHSA-7899-w6c4-vqc4

Suggest an improvement
Source
https://github.com/advisories/GHSA-7899-w6c4-vqc4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-7899-w6c4-vqc4/GHSA-7899-w6c4-vqc4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7899-w6c4-vqc4
Aliases
Published
2025-05-05T17:03:20Z
Modified
2025-05-05T22:06:39Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P CVSS Calculator
Summary
@misskey-dev/summaly Redirect Filter Bypass
Details

Summary

A logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced.

Details

In the main summaly function, a new scrapingOptions object is created and passed to either the matched plugin, if any, or the default summarize function. The issue here is that the new scrapingOptions object is not provided the allowRedirects property of opts.

PoC

  • Publish a post containing a link to any URL that redirects on Misskey.
  • A preview will be generated for the target of the redirect, despite Misskey passing allowRedirects: false.

Impact

Misskey will follow redirects, despite explicitly requesting not to.

Database specific
{
    "github_reviewed_at": "2025-05-05T17:03:20Z",
    "cwe_ids": [
        "CWE-601",
        "CWE-665",
        "CWE-669",
        "CWE-693"
    ],
    "nvd_published_at": "2025-05-05T19:15:56Z",
    "severity": "LOW",
    "github_reviewed": true
}
References

Affected packages

npm / @misskey-dev/summaly

Package

Name
@misskey-dev/summaly
View open source insights on deps.dev
Purl
pkg:npm/%40misskey-dev/summaly

Affected ranges

Type
SEMVER
Events
Introduced
3.0.1
Fixed
5.2.1