What is the severity of GHSA-7899-w6c4-vqc4?

The vulnerability GHSA-7899-w6c4-vqc4 is classified as a moderate severity issue due to the logic error affecting redirect options.

How do I fix GHSA-7899-w6c4-vqc4?

To fix GHSA-7899-w6c4-vqc4, update the @misskey-dev/summaly package to version 5.2.2 or later.

What is the impact of GHSA-7899-w6c4-vqc4?

GHSA-7899-w6c4-vqc4 can lead to security risks from redirects not being enforced when using plugins.

What is the affected software version for GHSA-7899-w6c4-vqc4?

GHSA-7899-w6c4-vqc4 affects @misskey-dev/summaly versions between 3.0.1 and 5.2.1, inclusive.

Is GHSA-7899-w6c4-vqc4 a known issue?

Yes, GHSA-7899-w6c4-vqc4 is a known vulnerability documented in GitHub advisories.

Vulnerability/
GHSA-7899-w6c4-vqc4

CWE

601 665 669 693

5/5/2025

GHSA-7899-w6c4-vqc4

First published: Mon May 05 2025(Updated: )

### Summary A logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. ### Details In the main `summaly` function, a new `scrapingOptions` object is created and passed to either the matched plugin, if any, or the default summarize function. The issue here is that the new `scrapingOptions` object is not provided the `allowRedirects` property of `opts`. ### PoC - Publish a post containing a link to any URL that redirects on Misskey. - A preview will be generated for the target of the redirect, despite Misskey passing `allowRedirects: false`. ### Impact Misskey will follow redirects, despite explicitly requesting not to.

Affected Software	Affected Version	How to fix
npm/@misskey-dev/summaly	>=3.0.1<5.2.1	5.2.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of GHSA-7899-w6c4-vqc4?
The vulnerability GHSA-7899-w6c4-vqc4 is classified as a moderate severity issue due to the logic error affecting redirect options.
How do I fix GHSA-7899-w6c4-vqc4?
To fix GHSA-7899-w6c4-vqc4, update the @misskey-dev/summaly package to version 5.2.2 or later.
What is the impact of GHSA-7899-w6c4-vqc4?
GHSA-7899-w6c4-vqc4 can lead to security risks from redirects not being enforced when using plugins.
What is the affected software version for GHSA-7899-w6c4-vqc4?
GHSA-7899-w6c4-vqc4 affects @misskey-dev/summaly versions between 3.0.1 and 5.2.1, inclusive.
Is GHSA-7899-w6c4-vqc4 a known issue?
Yes, GHSA-7899-w6c4-vqc4 is a known vulnerability documented in GitHub advisories.

agent/weakness
agent/last-modified-date
agent/references
agent/source
agent/softwarecombine
agent/type
agent/description
agent/first-publish-date
agent/event
agent/tags
collector/github-advisory-latest
source/GitHub
alias/GHSA-7899-w6c4-vqc4
alias/CVE-2025-46553
agent/software-canonical-lookup
package-manager/npm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.