CVE-2025-64116 – This vulnerability allows attackers to redirect... (How to Fix)

Q: What is the severity of CVE-2025-64116?

CVE-2025-64116 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows attackers to redirect authenticated users to malicious external websites via an unvalidated redirect parameter on the login page. It affects all Movary users running versions before 0.69.0 who could be tricked into clicking specially crafted login links.

📋 TL;DR

This vulnerability allows attackers to redirect authenticated users to malicious external websites via an unvalidated redirect parameter on the login page. It affects all Movary users running versions before 0.69.0 who could be tricked into clicking specially crafted login links.

💻 Affected Systems

Products:

Movary

Versions: All versions prior to 0.69.0

Operating Systems: Any OS running Movary

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable if using affected versions.

📦 What is this software?

Movary by Leepeuker

View all CVEs affecting Movary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to phishing sites that steal credentials or install malware, leading to account compromise and potential credential reuse attacks.

🟠

Likely Case

Attackers could redirect users to malicious sites for phishing, ad fraud, or drive-by download attacks, potentially compromising user accounts.

🟢

If Mitigated

With proper URL validation, users would only be redirected to trusted internal pages, preventing external redirection attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (clicking malicious link) and user authentication. Attackers need to craft malicious URLs with redirect parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.69.0

Vendor Advisory: https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g

Restart Required: No

Instructions:

1. Backup your Movary installation and database. 2. Update to version 0.69.0 or later via git pull or package update. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to only allow redirects to trusted internal URLs

Modify login.php to validate redirect parameter against allowed domains

🧯 If You Can't Patch

Implement web application firewall rules to block external redirects from login parameters
Educate users about phishing risks and suspicious login links

🔍 How to Verify

Check if Vulnerable:

Check if login.php accepts 'redirect' parameter pointing to external domains like https://example.com

Check Version:

Check Movary version in admin panel or via git describe --tags

Verify Fix Applied:

Test that redirect parameter only accepts internal URLs after update

📡 Detection & Monitoring

Log Indicators:

HTTP requests to login.php with external URLs in redirect parameter
Unusual redirect patterns in access logs

Network Indicators:

Outbound redirects from login page to external domains

SIEM Query:

source="web_logs" url="*login.php*" redirect="*http*" | where redirect contains external_domain

📊 Metadata

CVE ID: CVE-2025-64116

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-601

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: October 30, 2025

Last Updated: December 8, 2025

🔗 References

https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f Patch
https://github.com/leepeuker/movary/pull/713 Issue Tracking
https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g Exploit,Third Party Advisory
https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64116, you might also want to check these: