CVE-2025-64115 Overview
CVE-2025-64115 is an open redirect vulnerability in Movary, a web application for tracking, rating, and exploring movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints. An attacker can craft a link that abuses this behavior to redirect authenticated users to an attacker-controlled site, facilitating phishing and credential harvesting. The issue is tracked under [CWE-601] (URL Redirection to Untrusted Site) and is fixed in version 0.69.0.
Critical Impact
Attackers can leverage trusted Movary domains to redirect victims to malicious pages, enabling phishing campaigns that impersonate the legitimate application.
Affected Products
- Leepeuker Movary versions <= 0.68.0
- Movary settings endpoints that consume the HTTP_REFERER server variable
- Movary error handling controller (404 page referer rendering)
Discovery Timeline
- 2025-10-30 - CVE-2025-64115 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64115
Vulnerability Analysis
Movary constructs HTTP redirect responses using the raw $_SERVER['HTTP_REFERER'] value supplied by the client. Because the Referer header is fully attacker-controllable through a crafted link, the application performs redirects to arbitrary external hosts. The flaw affects multiple settings endpoints as well as the 404 error controller, where the referer value is also rendered into a template. An attacker distributes a link pointing to a vulnerable Movary endpoint while setting or influencing the referer chain so that after the request completes, the victim's browser is redirected to a phishing domain that mimics Movary's login screen.
Root Cause
The root cause is missing validation and sanitization of the client-supplied Referer header before it is used as the destination of an HTTP 303 See Other redirect. The vulnerable code path in src/HttpController/Web/CreateUserController.php calls Header::createLocation($_SERVER['HTTP_REFERER']) without checking that the value resolves to an internal path or trusted host. A parallel issue exists in src/HttpController/Web/ErrorController.php, where a private getReferer() helper returns the raw header value.
Attack Vector
Exploitation requires user interaction: the victim must click an attacker-crafted link, but no authentication bypass or privilege escalation is needed. The attack is executed over the network against any Movary instance running an affected version.
// Patch in src/HttpController/Web/CreateUserController.php
return Response::create(
StatusCode::createSeeOther(),
null,
- [Header::createLocation($_SERVER['HTTP_REFERER'])],
+ [Header::createLocation((string)$request->getHttpReferer())],
);
}
Source: Movary commit 716f703b
// Patch in src/HttpController/Web/ErrorController.php
$this->twig->render(
'page/404.html.twig',
[
- 'referer' => $this->getReferer($request)
+ 'referer' => $request->getHttpReferer()
],
),
);
}
-
- private function getReferer(Request $request) : ?string
- {
- $referer = $_SERVER['HTTP_REFERER'] ?? null;
- if ($referer === null) {
- return null;
- }
-
- if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH) === $request->getPath()) {
- return null;
- }
-
- return $_SERVER['HTTP_REFERER'];
- }
}
Source: Movary commit 716f703b. The fix routes referer access through the framework's Request::getHttpReferer() accessor, which centralizes validation instead of trusting raw superglobals.
Detection Methods for CVE-2025-64115
Indicators of Compromise
- HTTP 303 See Other responses from Movary settings endpoints containing a Location header pointing to an external, non-Movary domain
- Inbound requests to Movary with Referer headers whose host does not match the Movary instance hostname
- Access logs showing repeated hits to settings endpoints (for example, user creation flows) followed by 3xx redirects to unfamiliar domains
Detection Strategies
- Deploy a web application firewall rule that inspects the Referer header on requests to Movary and blocks values whose host component does not match the deployed instance
- Compare the Host header and the parsed host of the Referer header in access logs; flag mismatches on POST requests
- Search for phishing lures that link to Movary URLs, indicating attempted abuse of the redirect chain
Monitoring Recommendations
- Enable verbose access logging on the reverse proxy fronting Movary, including the Referer header value
- Alert when Movary responds with Location headers pointing to domains outside an approved allowlist
- Track user reports of unexpected logout or credential prompts after clicking Movary links
How to Mitigate CVE-2025-64115
Immediate Actions Required
- Upgrade all Movary deployments to version 0.69.0 or later, which replaces raw $_SERVER['HTTP_REFERER'] usage with the validated Request::getHttpReferer() accessor
- Inventory internet-exposed Movary instances and prioritize patching those reachable by untrusted users
- Notify Movary users about phishing risk and instruct them to verify the address bar after clicking Movary links
Patch Information
The fix is delivered in Movary 0.69.0 through pull request #713 and commit 716f703b. Full details are documented in the GitHub Security Advisory GHSA-pm58-79jw-q79f.
Workarounds
- Place Movary behind a reverse proxy that strips or validates the Referer header against the deployment hostname before forwarding requests
- Restrict access to the Movary settings endpoints to trusted networks until the upgrade is applied
- Educate users to avoid clicking Movary links from untrusted sources until patching is complete
# Example nginx snippet: drop external Referer values before proxying to Movary
map $http_referer $safe_referer {
default "";
"~^https?://movary\.example\.com/" $http_referer;
}
server {
listen 443 ssl;
server_name movary.example.com;
location / {
proxy_set_header Referer $safe_referer;
proxy_pass http://127.0.0.1:8080;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

