CVE-2025-64515

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64515

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64515.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64515

Aliases

GHSA-cp63-63mq-5wvf

Published

2025-11-18T22:39:48.150Z

Modified

2026-04-02T13:00:02.913207Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Open Forms prefill data in read-only components can be tampered

Details

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64515.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/open-formulieren/open-forms

Affected ranges

Type

GIT

Repo

https://github.com/open-formulieren/open-forms

Events

Introduced

f1fec608fcc33d49c463205ba8ae99745f3d7875

Fixed

f080250ed8ed773114d5e4675cae035eda53782e

Database specific

{
    "versions": [
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/open-formulieren/open-forms

Events

Introduced

Fixed

ee995bff22ec4d0c67acbbad0349a07edfdb121e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.7"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-rc.0

1.0.0-rc.1

1.0.0-rc.2

1.0.0-rc.3

1.0.0-rc.4

1.0.1

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1.0

1.1.0-rc.0

1.1.0-rc.1

1.1.1

1.1.10

1.1.11

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.5.0-hodm.1

1.5.0-hodm.2

2.*

2.0.0

2.0.0-beta.0

2.0.0-rc.0

2.0.0-rc.1

2.0.1

2.0.1+denhaag.cdcbb6b79629088371d20ad674174f02bfb26bdb

2.0.1-denhaag

2.0.1-denhaag.cdcbb6b79629088371d20ad674174f02bfb26bdb

2.0.10

2.0.11

2.0.2

2.0.3

2.0.4

2.0.4-rc.0

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.0-alpha.0

2.1.0-alpha.1

2.1.0-alpha.2

2.1.0-beta.0

2.1.0-rc.0

2.1.0-rc.1

2.1.1

2.1.1-issue2875

2.1.1-issue2875-2

2.1.1-rc.0

2.1.1-rc.1

2.1.10

2.1.11

2.1.2

2.1.2-beta.0

2.1.3

2.1.4

2.1.5

2.1.5-analytics-test

2.1.5-analytics-test.1

2.1.5-beta.0

2.1.6

2.1.7

2.1.8

2.1.9

2.2.0

2.2.0-alpha.0

2.2.0-alpha.1

2.2.0-beta.0

2.2.1

2.2.1-beta.0

2.2.10

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.3.0

2.3.0-alpha.0

2.3.0-alpha.1+hodm

2.3.0-haalcentraalhr.0

2.3.0-haalcentraalhr.1

2.3.0-hodm.1

2.3.0-hodm.2

2.3.0-rc.0

2.3.0-rc.1

2.3.0-rc.2

2.3.1

2.3.2

2.3.3

2.3.4

2.3.4-odru.0

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.0-alpha.0

2.4.0-post.0

2.4.0-testing.0

2.4.0-testing.1

2.4.0-testing.2

2.4.1

2.4.1-dh

2.4.10

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.5.0

2.5.0-alpha.0

2.5.0-beta.0

2.5.0-beta.1

2.5.0-beta.2

2.5.0-beta.3

2.5.0-beta.4

2.5.0-beta.5

2.5.1

2.5.10

2.5.11

2.5.12

2.5.13

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.6.0

2.6.0-alpha.0

2.6.0-beta.0

2.6.0-beta.1

2.6.0-beta.2

2.6.1

2.6.1-beta.0

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.2

2.6.2-beta.0

2.6.2-beta.1

2.6.2-beta.2

2.6.3

2.6.3-beta.0

2.6.3-beta.1

2.6.4

2.6.5

2.6.5-beta.0

2.6.6

2.6.7

2.6.8

2.6.9

2.7.0

2.7.0-alpha.0

2.7.1

2.7.10

2.7.11

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.8.0

2.8.0-alpha.0

2.8.0-beta.0

2.8.1

2.8.1-pre.0

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

3.*

3.0.0

3.0.0-alpha.0

3.0.0-alpha.1

3.0.0-celery55rc.0

3.0.0-rc.0

3.0.0-rc.1

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.0-alpha.0

3.1.0-alpha.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.2.0

3.2.0-alpha.0

3.2.0-alpha.1

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.3.0

3.3.0-alpha.0

3.3.0-alpha.1

3.3.0-alpha.9e15db3a36df8ead

3.3.0-rc.0

3.3.1

3.3.1-alpha.0

3.3.10

3.3.11

3.3.12

3.3.13

3.3.14

3.3.15

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.4.0

3.4.0-alpha.0

3.4.0-alpha.1

3.4.0-alpha.2

3.4.0-leiden.0

3.4.0-leiden.1

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.5.0-alpha.0

3.5.0-alpha.1

3.5.0-alpha.2

Other

3967-eh-branch-number

POC

before-sdk

ci-test

cosign-test

demodam

digid-more-logs

digid-test-1

digid-test-2

eh_broker_upgrade_1

eherkenning-test-1

eherkenning-test-2

eherkenning-test-4

eidas_test1

eidas_test3

eidas_test4

eidas_test5

eidas_test6

eidas_test7

eidas_test8

eidas_test9

experiment-optimize-iter-components

fieldlab-open-product

fieldlab-open-product-v2

fieldlab-open-product-v3

fix-5035

fix-5058

issue-1428

latest-py310

logius-report

mvp

oidc-digid

oidc-digid-machtigen

oidc-multidomain

perf-profiling-before-logic-refactor

restore_dh_11112022

revert_dh

setup-configuration

sprint-10

sprint-11

sprint-4

sprint-5

sprint-6

sprint-7

sprint-8

sprint-9

still-functional

tag-push-test

test-e2e-tests

test_demo_extension

test_eherkenning_settings

test_eherkenning_settings_1

test_eherkenning_settings_2

test_eherkenning_settings_3

archive/1.*

archive/1.0.x

archive/1.1.x

archive/2.*

archive/2.0.x

archive/2.1.x

archive/2.2.x

archive/2.3.x

archive/2.4.x

archive/2.5.x

archive/2.6.x

archive/2.7.x

archive/2.8.x

archive/3.*

archive/3.0.x

archive/3.1.x

test-oidc-refactor.*

test-oidc-refactor.0

test-oidc-refactor.1

test-oidc-refactor.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64515.json"