=5.1.0 <5.2.1

Q: How to fix?

Upgrade @misskey-dev/summaly to version 5.2.1 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-MISSKEYDEVSUMMALY-10350356
published13 Jun 2025
disclosed6 May 2025
creditHazel K

Report a new vulnerability Found a mistake?

Introduced: 6 May 2025

CWE-346 (opens in a new tab)

How to fix?

Upgrade @misskey-dev/summaly to version 5.2.1 or higher.

Overview

@misskey-dev/summaly is a Get web page's summary

Affected versions of this package are vulnerable to Origin Validation Error in got.scpaping. An attacker can probe a victim's internal network for HTTP services that aren't supposed to be exposed to the outside world by using an HTTP redirect to bypass IP filtering. This is only exploitable if the attacker can manipulate the HTTP HEAD and GET requests to redirect to a private IP address.

PoC

@summaly-bypass-head {
    method HEAD
    path /summaly-bypass
}
@summaly-bypass-get {
    method GET
    path /summaly-bypass
}
header @summaly-bypass-head Content-Type "text/html"
respond @summaly-bypass-head 200
redir @summaly-bypass-get http://127.0.0.1:3080/

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None