CVE-2025-46553 is a security vulnerability identified in the misskey-dev project's summaly tool, which is used to generate summaries of web pages. The vulnerability exists in versions starting from 3.0.1 up to, but not including, 5.2.1. The core issue is a logic error in the main summaly function where the 'allowRedirects' option is never passed to any plugins. This results in the option not being enforced, causing the tool to follow HTTP redirects even when explicitly configured not to. This behavior constitutes a protection mechanism failure (CWE-693) and relates to improper handling of redirects (CWE-601), as well as potential issues with resource management (CWE-665) and improper input validation (CWE-669). The vulnerability is classified as low severity with a CVSS 4.0 score of 2.1, indicating limited impact and ease of exploitation. Exploitation does not require privileges or authentication but does require user interaction. The vulnerability could allow an attacker to redirect the summaly tool to unintended URLs, potentially leading to information disclosure or facilitating phishing or other social engineering attacks if the summary content is trusted. The issue was patched in version 5.2.1 of summaly. No known exploits are currently reported in the wild.

For European organizations, the impact of this vulnerability is generally low but context-dependent. Organizations using the summaly tool within their web services or internal tools may inadvertently process redirects they intended to block, potentially exposing users to malicious content or phishing sites through manipulated summaries. This could undermine user trust and lead to indirect reputational damage. Since the vulnerability does not allow direct code execution or privilege escalation, the confidentiality, integrity, and availability impacts are limited. However, in sectors where web content summarization is integrated into critical workflows (e.g., media, research, or intelligence gathering), the failure to enforce redirect restrictions could be exploited to mislead users or automate the retrieval of unintended content. The requirement for user interaction and the low CVSS score suggest that the threat is not severe but should be addressed to maintain robust security hygiene.

European organizations should upgrade all instances of the summaly tool to version 5.2.1 or later, where the vulnerability is patched. Until upgrades are completed, organizations should implement strict input validation and sanitization on URLs processed by summaly to detect and block unexpected redirects manually. Additionally, monitoring and logging of HTTP requests and redirects within summaly can help detect anomalous behavior. Organizations should also review their use of summaly in workflows to ensure that summaries are not blindly trusted, especially when sourced from external or untrusted web pages. Employing web content security policies and user awareness training to recognize potential phishing attempts can further reduce risk. Finally, consider isolating summaly processing environments to limit potential impact from malicious redirects.