CVE-2025-64515
📋 TL;DR
Open Forms versions before 3.2.7 and 3.3.3 contain an input validation vulnerability where form fields marked as readonly or disabled on the client side can be modified by malicious users. This allows attackers to submit data they shouldn't have access to modify. Organizations using vulnerable Open Forms installations are affected.
💻 Affected Systems
- Open Forms
📦 What is this software?
Open Forms by Maykinmedia
Open Forms by Maykinmedia
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could modify sensitive pre-filled data in forms, potentially altering critical information like financial data, personal identifiers, or system configurations that should be immutable.
Likely Case
Attackers modify form data they shouldn't have access to, potentially bypassing business logic validation and submitting unauthorized data changes.
If Mitigated
With proper server-side validation, modified data would be rejected, limiting impact to failed submission attempts.
🎯 Exploit Status
Exploitation requires user interaction with forms and knowledge of how to modify client-side disabled fields. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.7 or 3.3.3
Vendor Advisory: https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf
Restart Required: Yes
Instructions:
1. Backup your Open Forms installation and database. 2. Update to version 3.2.7 (for 3.2.x branch) or 3.3.3 (for 3.3.x branch). 3. Restart the Open Forms application service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement server-side validation
allAdd server-side validation to reject any submissions where readonly/disabled fields have been modified from their original values.
Disable dynamic readonly/disabled fields
allTemporarily remove dynamic readonly/disabled field configurations from vulnerable forms until patching can be completed.
🧯 If You Can't Patch
- Implement strict server-side validation for all form submissions to reject modified readonly fields
- Monitor form submission logs for unusual patterns or modifications to readonly fields
🔍 How to Verify
Check if Vulnerable:
Check your Open Forms version. If it's below 3.2.7 (for 3.2.x) or below 3.3.3 (for 3.3.x), you are vulnerable. Test forms with readonly/disabled fields by attempting to modify them via browser developer tools.Check Version:
Check the Open Forms admin interface or application configuration files for version information.Verify Fix Applied:
After updating, test that readonly/disabled form fields cannot be successfully modified and submitted. Verify the application version shows 3.2.7 or 3.3.3.📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions where readonly fields appear modified
- Form validation errors related to readonly field modifications
- Multiple failed submission attempts on forms with readonly fields
Network Indicators:
- POST requests to form submission endpoints with modified readonly field values
- Unusual payload sizes or structures in form submissions
SIEM Query:
source="open-forms" AND (event_type="form_submission" AND readonly_field_modified="true")🔗 References
- https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18
- https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18
- https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf
