CVE-2025-64116 Overview
CVE-2025-64116 is an open redirect vulnerability [CWE-601] affecting Movary, a self-hosted web application for tracking, rating, and exploring movie watch history. The login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. The issue affects all versions prior to 0.69.0 and is resolved in 0.69.0. Related patches also address unvalidated use of the HTTP_REFERER header in the CreateUserController and ErrorController components.
Critical Impact
Attackers can craft URLs that route Movary users to attacker-controlled domains after login, enabling phishing and credential harvesting campaigns that abuse the trusted Movary origin.
Affected Products
- Leepeuker Movary versions prior to 0.69.0
- Self-hosted Movary deployments exposed to the internet
- Movary instances shared across multiple users where phishing is a concern
Discovery Timeline
- 2025-10-30 - CVE-2025-64116 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64116
Vulnerability Analysis
Movary's login flow reads a redirect query parameter and forwards the browser to that location after successful authentication. Because the value is trusted without checking scheme, host, or allow-list membership, an attacker can supply an absolute URL pointing outside the application. The related patch in pull request #713 additionally hardens two controllers that consumed $_SERVER['HTTP_REFERER'] directly, replacing raw header access with the framework-provided $request->getHttpReferer() helper.
Root Cause
The root cause is missing validation of user-controlled URL input, classified as URL Redirection to Untrusted Site [CWE-601]. Both the login redirect parameter and the referer header were used to construct Location responses and rendered templates without confirming that the destination belonged to the application.
Attack Vector
Exploitation requires only that a victim click a crafted link and complete the login step. The attacker sends a URL of the form https://<movary-host>/login?redirect=https://evil.example/. After the user authenticates, Movary issues an HTTP redirect to the attacker's domain, which can present a cloned login page or drop malware.
// Patch excerpt: src/HttpController/Web/CreateUserController.php
return Response::create(
StatusCode::createSeeOther(),
null,
- [Header::createLocation($_SERVER['HTTP_REFERER'])],
+ [Header::createLocation((string)$request->getHttpReferer())],
);
}
// Source: https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f
// Patch excerpt: src/HttpController/Web/ErrorController.php
$this->twig->render(
'page/404.html.twig',
[
- 'referer' => $this->getReferer($request)
+ 'referer' => $request->getHttpReferer()
],
),
);
}
-
- private function getReferer(Request $request) : ?string
- {
- $referer = $_SERVER['HTTP_REFERER'] ?? null;
- if ($referer === null) {
- return null;
- }
-
- if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH) === $request->getPath()) {
- return null;
- }
-
- return $_SERVER['HTTP_REFERER'];
- }
}
// Source: https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f
The patch removes direct reads of $_SERVER['HTTP_REFERER'] and delegates parsing to $request->getHttpReferer(), centralizing sanitization logic.
Detection Methods for CVE-2025-64116
Indicators of Compromise
- Web server access logs containing requests to /login with a redirect query parameter pointing to external hosts.
- Outbound HTTP 302/303 responses from Movary whose Location header references a domain not owned by the operator.
- Referrer strings in downstream analytics showing traffic flowing from the Movary login page to unfamiliar domains.
Detection Strategies
- Parse reverse proxy or application logs and flag redirect= values whose host does not match the Movary deployment.
- Alert on any Location response header issued by Movary that contains a scheme plus external authority instead of a relative path.
- Correlate user session start events with subsequent redirects to third-party domains within the same request chain.
Monitoring Recommendations
- Enable verbose access logging on the web server or reverse proxy fronting Movary and retain logs for phishing investigations.
- Monitor DNS and proxy egress telemetry for spikes in traffic to newly registered domains referred from the Movary origin.
- Track Movary release advisories on the GitHub Security Advisory GHSA-7q72-x26x-7f8g page for follow-on fixes.
How to Mitigate CVE-2025-64116
Immediate Actions Required
- Upgrade Movary to version 0.69.0 or later, which is the only vendor-supported fix.
- Restrict Movary administrative and login endpoints behind an authenticating reverse proxy or VPN where feasible.
- Communicate to users that legitimate Movary links will never redirect off-domain after login, reducing phishing success.
Patch Information
The fix is delivered in Movary 0.69.0 via GitHub Pull Request #713 and commit 716f703b. Full details are published in the GitHub Security Advisory GHSA-7q72-x26x-7f8g.
Workarounds
- Configure the reverse proxy to strip or validate the redirect query parameter on requests to /login, allowing only relative paths.
- Enforce a strict Referrer-Policy such as same-origin to reduce leakage of Movary URLs that could be replayed in phishing lures.
- Add a Content Security Policy form-action 'self' directive so browsers block form submissions redirecting to external origins.
# NGINX example: reject absolute redirect targets on the Movary login endpoint
location = /login {
if ($arg_redirect ~* "^https?://") {
return 400;
}
proxy_pass http://movary_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

