CVE-2025-64515 is an input validation vulnerability classified under CWE-20 affecting the open-forms product by open-formulieren. The vulnerability exists in versions prior to 3.2.7 and between 3.3.0 and 3.3.3, where form fields that are dynamically set to readonly or disabled for regular users can still be manipulated by malicious actors. Although the UI prevents users from modifying these fields, the underlying input validation does not enforce this restriction server-side, allowing attackers with at least limited privileges to alter data fields that should be immutable. This improper input validation flaw compromises data integrity by enabling unauthorized modifications without requiring user interaction. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting a medium severity level due to its limited impact on confidentiality and availability and the requirement for some privileges to exploit. No known exploits have been reported in the wild, but the issue has been addressed in versions 3.2.7 and 3.3.3 of open-forms. Organizations using affected versions should apply these patches promptly to prevent potential data tampering. The vulnerability is particularly relevant for environments where form data integrity is critical, such as government services, financial institutions, and healthcare providers that rely on open-forms for data collection and processing.

The primary impact of CVE-2025-64515 is on data integrity, as attackers can modify form data fields that should be readonly or disabled, potentially leading to inaccurate or fraudulent information being submitted and processed. For European organizations, this could undermine trust in digital forms used for regulatory reporting, customer onboarding, or internal workflows. While confidentiality and availability are not directly affected, the integrity compromise could result in compliance violations, financial losses, or operational disruptions if critical data is altered. Sectors such as public administration, financial services, and healthcare are particularly sensitive to data integrity issues and may face regulatory scrutiny under GDPR or other local data protection laws if manipulated data leads to incorrect decisions or disclosures. The requirement for some level of privileges to exploit the vulnerability reduces the risk from external attackers but does not eliminate insider threat or exploitation via compromised accounts. The absence of known exploits in the wild suggests limited current active exploitation but does not preclude future attacks if patches are not applied.

European organizations should immediately verify the version of open-forms deployed and upgrade to version 3.2.7 or 3.3.3 or later where the vulnerability is patched. In addition to patching, organizations should implement strict access controls and monitoring to limit which users have privileges that could exploit this vulnerability. Input validation should be enforced server-side to ensure that readonly or disabled fields cannot be modified regardless of client-side restrictions. Conduct thorough audits of form data integrity and implement anomaly detection to identify suspicious modifications. Organizations should also review and tighten their user privilege management and consider multi-factor authentication to reduce the risk of compromised accounts being used to exploit this flaw. Finally, maintain an incident response plan that includes procedures for investigating and mitigating data integrity incidents related to form submissions.