CVE-2025-64116 identifies an open redirect vulnerability (CWE-601) in the Movary web application, a platform used for tracking and rating movie watch history. Versions prior to 0.69.0 contain a flaw in the login page where the redirect parameter is accepted without validation. This allows attackers to craft URLs that redirect authenticated users to arbitrary external sites after login. Such open redirects can be exploited in phishing campaigns to trick users into visiting malicious websites that may harvest credentials or deliver malware. The vulnerability does not require any privileges or authentication to exploit but does require user interaction, such as clicking a malicious link. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no privileges or authentication required, user interaction needed, and limited scope and impact confined to user trust and potential redirection. No known exploits are currently in the wild, and the issue was publicly disclosed on October 30, 2025. The vulnerability is resolved in Movary version 0.69.0 by implementing proper validation of the redirect parameter to prevent redirection to untrusted external sites.

For European organizations using Movary versions prior to 0.69.0, this vulnerability primarily threatens user trust and security by enabling phishing and social engineering attacks. Attackers can redirect users to malicious websites that may attempt credential theft, malware installation, or other fraudulent activities. While the vulnerability does not directly compromise the confidentiality, integrity, or availability of the Movary application or backend systems, successful exploitation could lead to indirect impacts such as account compromise or reputational damage. Organizations with a user base that relies on Movary for media tracking may face increased risk of targeted phishing campaigns leveraging this open redirect flaw. The impact is more pronounced in sectors with high user interaction and where Movary is integrated into broader user authentication workflows or single sign-on environments.

European organizations should immediately upgrade Movary to version 0.69.0 or later, where the vulnerability is fixed. Until upgrading, administrators should consider disabling or restricting access to the login page redirect functionality if feasible. Implementing web application firewall (WAF) rules to detect and block suspicious redirect parameters can provide temporary protection. User education campaigns should warn about phishing attempts involving unexpected redirects from Movary URLs. Additionally, organizations should monitor logs for unusual redirect parameter usage and suspicious login redirection patterns. Integrating multi-factor authentication (MFA) can reduce the risk of account compromise even if users are redirected to malicious sites. Finally, security teams should review and update incident response plans to address potential phishing campaigns exploiting this vulnerability.