Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64115

CVE-2025-64115: Movary Open Redirect Vulnerability

CVE-2025-64115 is an open redirect flaw in Leepeuker Movary that exploits HTTP Referer headers to redirect users to malicious sites. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-64115 Overview

CVE-2025-64115 is an open redirect vulnerability in Movary, a web application for tracking, rating, and exploring movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints. An attacker can craft a link that abuses this behavior to redirect authenticated users to an attacker-controlled site, facilitating phishing and credential harvesting. The issue is tracked under [CWE-601] (URL Redirection to Untrusted Site) and is fixed in version 0.69.0.

Critical Impact

Attackers can leverage trusted Movary domains to redirect victims to malicious pages, enabling phishing campaigns that impersonate the legitimate application.

Affected Products

  • Leepeuker Movary versions <= 0.68.0
  • Movary settings endpoints that consume the HTTP_REFERER server variable
  • Movary error handling controller (404 page referer rendering)

Discovery Timeline

  • 2025-10-30 - CVE-2025-64115 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64115

Vulnerability Analysis

Movary constructs HTTP redirect responses using the raw $_SERVER['HTTP_REFERER'] value supplied by the client. Because the Referer header is fully attacker-controllable through a crafted link, the application performs redirects to arbitrary external hosts. The flaw affects multiple settings endpoints as well as the 404 error controller, where the referer value is also rendered into a template. An attacker distributes a link pointing to a vulnerable Movary endpoint while setting or influencing the referer chain so that after the request completes, the victim's browser is redirected to a phishing domain that mimics Movary's login screen.

Root Cause

The root cause is missing validation and sanitization of the client-supplied Referer header before it is used as the destination of an HTTP 303 See Other redirect. The vulnerable code path in src/HttpController/Web/CreateUserController.php calls Header::createLocation($_SERVER['HTTP_REFERER']) without checking that the value resolves to an internal path or trusted host. A parallel issue exists in src/HttpController/Web/ErrorController.php, where a private getReferer() helper returns the raw header value.

Attack Vector

Exploitation requires user interaction: the victim must click an attacker-crafted link, but no authentication bypass or privilege escalation is needed. The attack is executed over the network against any Movary instance running an affected version.

php
// Patch in src/HttpController/Web/CreateUserController.php
            return Response::create(
                StatusCode::createSeeOther(),
                null,
-                [Header::createLocation($_SERVER['HTTP_REFERER'])],
+                [Header::createLocation((string)$request->getHttpReferer())],
            );
        }

Source: Movary commit 716f703b

php
// Patch in src/HttpController/Web/ErrorController.php
            $this->twig->render(
                'page/404.html.twig',
                [
-                    'referer' => $this->getReferer($request)
+                    'referer' => $request->getHttpReferer()
                ],
            ),
        );
    }
-
-    private function getReferer(Request $request) : ?string
-    {
-        $referer = $_SERVER['HTTP_REFERER'] ?? null;
-        if ($referer === null) {
-            return null;
-        }
-
-        if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH) === $request->getPath()) {
-            return null;
-        }
-
-        return $_SERVER['HTTP_REFERER'];
-    }
 }

Source: Movary commit 716f703b. The fix routes referer access through the framework's Request::getHttpReferer() accessor, which centralizes validation instead of trusting raw superglobals.

Detection Methods for CVE-2025-64115

Indicators of Compromise

  • HTTP 303 See Other responses from Movary settings endpoints containing a Location header pointing to an external, non-Movary domain
  • Inbound requests to Movary with Referer headers whose host does not match the Movary instance hostname
  • Access logs showing repeated hits to settings endpoints (for example, user creation flows) followed by 3xx redirects to unfamiliar domains

Detection Strategies

  • Deploy a web application firewall rule that inspects the Referer header on requests to Movary and blocks values whose host component does not match the deployed instance
  • Compare the Host header and the parsed host of the Referer header in access logs; flag mismatches on POST requests
  • Search for phishing lures that link to Movary URLs, indicating attempted abuse of the redirect chain

Monitoring Recommendations

  • Enable verbose access logging on the reverse proxy fronting Movary, including the Referer header value
  • Alert when Movary responds with Location headers pointing to domains outside an approved allowlist
  • Track user reports of unexpected logout or credential prompts after clicking Movary links

How to Mitigate CVE-2025-64115

Immediate Actions Required

  • Upgrade all Movary deployments to version 0.69.0 or later, which replaces raw $_SERVER['HTTP_REFERER'] usage with the validated Request::getHttpReferer() accessor
  • Inventory internet-exposed Movary instances and prioritize patching those reachable by untrusted users
  • Notify Movary users about phishing risk and instruct them to verify the address bar after clicking Movary links

Patch Information

The fix is delivered in Movary 0.69.0 through pull request #713 and commit 716f703b. Full details are documented in the GitHub Security Advisory GHSA-pm58-79jw-q79f.

Workarounds

  • Place Movary behind a reverse proxy that strips or validates the Referer header against the deployment hostname before forwarding requests
  • Restrict access to the Movary settings endpoints to trusted networks until the upgrade is applied
  • Educate users to avoid clicking Movary links from untrusted sources until patching is complete
bash
# Example nginx snippet: drop external Referer values before proxying to Movary
map $http_referer $safe_referer {
    default "";
    "~^https?://movary\.example\.com/" $http_referer;
}

server {
    listen 443 ssl;
    server_name movary.example.com;

    location / {
        proxy_set_header Referer $safe_referer;
        proxy_pass http://127.0.0.1:8080;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.