GHSA-jqx4-9gpq-rppm: 
JavaScript vulnerability analysis and mitigation

A security vulnerability (GHSA-jqx4-9gpq-rppm) was discovered in @misskey-dev/summaly package affecting versions >= 5.1.0 and < 5.2.1. The vulnerability, published on May 6, 2025, allows attackers to bypass IP filtering through HTTP redirects. This moderate severity issue was discovered by researcher warriordog and has been patched in version 5.2.1 (GitHub Advisory).

The vulnerability stems from a validation error in the got.scpaping function. The function performs a HTTP HEAD request to the target page and checks for private IP addresses in the HEAD response. However, it fails to perform these checks on the subsequent GET request, allowing the GET response to redirect to a private IP address, effectively bypassing the IP filtering mechanism. The vulnerability has been assigned a CVSS score of 5.3 (Moderate) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability enables attackers to probe internal networks for HTTP services that are not intended to be exposed externally. While the access is primarily read-only, it can be exploited to extract sensitive information or conduct reconnaissance for future attacks without leaving traces (GitHub Advisory).

The vulnerability has been patched in version 5.2.1 of @misskey-dev/summaly. The fix involves moving the private IP address checks to the response handling phase, ensuring that IP filtering is properly enforced for all responses including redirects (Wiz).