CVE-2025-46553: 
JavaScript vulnerability analysis and mitigation

@misskey-dev/summaly, a web page summary tool, was discovered to contain a vulnerability (CVE-2025-46553) affecting versions 3.0.1 through 5.2.1. The vulnerability was disclosed on May 5, 2025, and involves a logic error in the main summaly function that impacts URL redirection functionality. The issue has been assigned a CVSS v4.0 base score indicating LOW severity (GitHub Advisory).

The vulnerability stems from a logic error in the main summaly function where the allowRedirects option is never passed to any plugins. This occurs because the scrapingOptions object created in the main function fails to include the allowRedirects property from the options parameter. The vulnerability has been assigned a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P (GitHub Advisory).

When exploited, the vulnerability causes Misskey to follow URL redirects even when explicitly configured not to do so through the allowRedirects: false setting. This behavior occurs when posts containing redirecting URLs are published on Misskey, generating previews for the redirect targets despite the system's configuration to prevent such behavior (GitHub Advisory, Wiz).

The vulnerability has been patched in version 5.2.1 of @misskey-dev/summaly. Users should upgrade to this version to resolve the issue (GitHub Advisory, GitHub Commit).