CVE-2025-64515

Description

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:* - VULNERABLE

Open Forms < 3.2.7

Open Forms 3.3.0-3.3.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

...

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64515
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64515
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64515/
[4] VulDB https://vuldb.com/cve/CVE-2025-64515
[5] https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18
[6] https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18
[7] https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64515", "sourceIdentifier": "[email protected]", "published": "2025-11-18T23:15:55.690", "lastModified": "2025-12-02T20:39:24.463", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.2.7", "matchCriteriaId": "6357DA53-9F3D-4C21-B0C3-66637A1689B6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.3", "matchCriteriaId": "2833EAC3-CAC0-4F95-ADC7-ED250653BF3B"}]}]}], "references": [{"url": "https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}