@misskey-dev/summaly Redirect Filter Bypass Vulnerability
Vulnerability
A logic error has been identified in the @misskey-dev/summaly package, specifically in versions 3.0.1 and prior to 5.2.1. The issue arises in the main 'summaly' function, where the 'allowRedirects' option is not passed to plugins, leading to a failure in enforcing redirect policies. Consequently, Misskey follows redirects even when explicitly instructed not to. This vulnerability requires user interaction to exploit, as it involves publishing a post with a link to a URL that redirects.
Impact
Exploitation of this vulnerability causes Misskey to follow redirects, disregarding the user's request to avoid them.
Reproduction
To reproduce this vulnerability, publish a post containing a link to any URL that redirects. A preview will be generated for the target of the redirect, even though Misskey has been set to not allow redirects.
Remediation
Users can upgrade to version 5.2.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.