CVE-2025-46553

Description

### Summary A logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. ### Details In the main `summaly` function, a new `scrapingOptions` object is created and passed to either the matched plugin, if any, or the default summarize function. The issue here is that the new `scrapingOptions` object is not provided the `allowRedirects` property of `opts`. ### PoC - Publish a post containing a link to any URL that redirects on Misskey. - A preview will be generated for the target of the redirect, despite Misskey passing `allowRedirects: false`. ### Impact Misskey will follow redirects, despite explicitly requesting not to.

How to fix CVE-2025-46553

To remediate CVE-2025-46553, upgrade the affected package to a fixed version below.

• —upgrade to 5.2.1 or later

Is CVE-2025-46553 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 3.0.1, < 5.2.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-46553
• PATCHgithub.com/misskey-dev/summaly
• WEBgithub.com/misskey-dev/summaly/commit/45153b4f08a772c395a13f7a25399dd87ed022ed
• WEBgithub.com/misskey-dev/summaly/security/advisories/GHSA-7899-w6c4-vqc4