CVE-2025-64116 - Vulnerability Details - OpenCVE

Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f
https://github.com/leepeuker/movary/pull/713
https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g

History

Thu, 30 Oct 2025 17:45:00 +0000

Type	Values Removed	Values Added
Description		Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0.
Title		Movary vulnerable to an open redirect
Weaknesses		CWE-601
References		https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f https://github.com/leepeuker/movary/pull/713 https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-10-30T17:32:41.434Z

Updated: 2025-10-30T17:32:41.434Z

Reserved: 2025-10-27T15:26:14.128Z

Link: CVE-2025-64116

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-30T18:15:33.527

Modified: 2025-10-30T18:15:33.527

Link: CVE-2025-64116

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64116", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-27T15:26:14.128Z", "datePublished": "2025-10-30T17:32:41.434Z", "dateUpdated": "2025-10-30T17:32:41.434Z"}, "containers": {"cna": {"title": "Movary vulnerable to an open redirect", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g"}, {"name": "https://github.com/leepeuker/movary/pull/713", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/pull/713"}, {"name": "https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f"}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"version": "< 0.69.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-30T17:32:41.434Z"}, "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0."}], "source": {"advisory": "GHSA-7q72-x26x-7f8g", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0."}], "id": "CVE-2025-64116", "lastModified": "2025-10-30T18:15:33.527", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-10-30T18:15:33.527", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f"}, {"source": "security-advisories@github.com", "url": "https://github.com/leepeuker/movary/pull/713"}, {"source": "security-advisories@github.com", "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-7q72-x26x-7f8g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}