CVE-2025-46553

Name of the Vulnerable Software and Affected Versions @misskey-dev/summaly versions 3.0.1 through 5.2.0

Description A logic error in the main summaly function causes the allowRedirects option to never be passed to any plugins, and as a result, isn't enforced. This issue allows Misskey to follow redirects, despite explicitly requesting not to. The problem can be demonstrated by publishing a post containing a link to any URL that redirects on Misskey, resulting in a preview being generated for the target of the redirect, even when allowRedirects: false is specified.

Recommendations For versions 3.0.1 through 5.2.0, update to version 5.2.1, which contains a patch for the issue. As a temporary workaround, consider disabling the summaly function until the patch is applied. Restrict access to the summaly function to minimize the risk of exploitation. Avoid using the allowRedirects option in the affected summaly function until the issue is resolved.