CVE-2025-64515: Open Forms Vulnerability Allows Unauthorized Data Modification

Overview

CVE-2025-64515 is a medium severity vulnerability affecting Open Forms, a platform for creating and publishing smart forms. The vulnerability allows malicious users to bypass intended readonly or disabled restrictions on form fields and potentially modify data they are not authorized to change. This occurs in forms where the prefill data fields are dynamically set to readonly/disabled.

The vulnerability has been addressed in Open Forms versions 3.2.7 and 3.3.3. Users of earlier versions are strongly encouraged to upgrade to these patched versions.

Technical Details

The vulnerability stems from insufficient enforcement of readonly/disabled attributes on dynamically populated form fields. While the user interface correctly renders these fields as readonly for regular users, a malicious user with sufficient technical knowledge can circumvent these client-side restrictions and manipulate the underlying data being submitted to the server. This circumvention typically involves manipulating the HTTP request sent to the server, bypassing the UI’s readonly constraints. The server-side validation was insufficient to prevent this modification.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64515 is 4.3 (Medium).

The CVSS vector string associated with this vulnerability is likely to include factors such as:

• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Scope: Unchanged (S:U)
• Confidentiality Impact: None (C:N)
• Integrity Impact: Low (I:L)
• Availability Impact: None (A:N)

This score reflects the relative ease with which an attacker can exploit the vulnerability and the limited scope of its impact (primarily affecting data integrity).

Possible Impact

Successful exploitation of CVE-2025-64515 can have the following impacts:

• Data Manipulation: Malicious users can alter data within the affected forms, leading to inaccurate or corrupted information.
• Unauthorized Actions: Modified data could trigger unintended actions or processes based on the falsified information.
• Compliance Issues: Depending on the nature of the forms and the data they contain, unauthorized modifications could lead to violations of data privacy regulations or other compliance requirements.

Mitigation and Patch Steps

The recommended mitigation for CVE-2025-64515 is to upgrade your Open Forms installation to version 3.2.7 or 3.3.3, or a later patched version. These versions contain the necessary fixes to prevent unauthorized data modification.

To upgrade Open Forms, follow the official upgrade instructions provided by the Open Forms developers. These instructions typically involve updating the application code, database schema, and any relevant dependencies.

References

• Open Forms Changelog (3.2.7): https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18
• Open Forms Changelog (3.3.3): https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18
• GitHub Security Advisory: https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf