CVE-2025-64515

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64515

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64515.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64515

Aliases

GHSA-cp63-63mq-5wvf

Published

2025-11-18T22:39:48.150Z

Modified

2026-04-10T05:33:49.516828Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Open Forms prefill data in read-only components can be tampered

Details

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64515.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/open-formulieren/open-forms

Affected ranges

Type

GIT

Repo

https://github.com/open-formulieren/open-forms

Events

Introduced

f1fec608fcc33d49c463205ba8ae99745f3d7875

Fixed

f080250ed8ed773114d5e4675cae035eda53782e

Database specific

{
    "versions": [
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/open-formulieren/open-forms

Events

Introduced

Fixed

ee995bff22ec4d0c67acbbad0349a07edfdb121e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.7"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-rc.0

1.0.0-rc.1

1.0.0-rc.2

1.0.0-rc.3

1.0.0-rc.4

1.5.0-hodm.1

1.5.0-hodm.2

2.*

2.0.0-beta.0

2.1.0-alpha.0

2.1.0-alpha.2

2.2.1-beta.0

2.3.0

2.3.0-alpha.0

2.3.0-alpha.1+hodm

2.3.0-haalcentraalhr.0

2.3.0-hodm.1

2.3.0-hodm.2

2.4.0

2.4.0-alpha.0

2.5.0

2.5.0-alpha.0

2.6.0

2.6.0-alpha.0

2.7.0

2.7.0-alpha.0

2.8.0-alpha.0

2.8.0-beta.0

3.*

3.0.0

3.0.0-alpha.0

3.0.0-rc.0

3.0.0-rc.1

3.0.1

3.1.0

3.1.0-alpha.0

3.1.0-alpha.1

3.2.0

3.2.0-alpha.0

3.2.0-alpha.1

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.3.0

3.3.1

3.3.1-alpha.0

3.3.2

Other

POC

before-sdk

demodam

mvp

perf-profiling-before-logic-refactor

revert_dh

sprint-10

sprint-11

sprint-4

sprint-5

sprint-6

sprint-7

sprint-8

sprint-9

still-functional

tag-push-test

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64515.json"