CVE-2025-64515 is a vulnerability classified under CWE-20 (Improper Input Validation) found in the open-forms product by open-formulieren, which enables users to create and publish smart forms. The vulnerability exists in versions prior to 3.2.7 and between 3.3.0 and 3.3.3, where form fields that are dynamically set to readonly or disabled for regular users can still be modified by attackers. Although the user interface restricts modification by marking fields as readonly, the backend does not properly validate or enforce these restrictions, allowing malicious users with low privileges to alter data fields they should not be able to change. This bypass of client-side controls leads to unauthorized data integrity violations. The vulnerability is exploitable remotely over the network without user interaction, requiring only low-level privileges. The CVSS v3.1 score is 4.3 (medium severity), reflecting the limited impact on confidentiality and availability but a clear impact on integrity. No known exploits have been reported in the wild, and the issue has been addressed in versions 3.2.7 and 3.3.3 by improving input validation and enforcement of readonly/disabled field restrictions on the server side.

For European organizations, this vulnerability poses a risk primarily to data integrity within smart forms used for data collection, processing, or service delivery. Unauthorized modification of readonly fields could lead to inaccurate data submissions, fraud, or manipulation of critical workflows, especially in sectors like government services, healthcare, finance, and utilities where form data drives decision-making or compliance processes. While confidentiality and availability are not directly impacted, the integrity breach could undermine trust in digital forms and lead to regulatory or operational consequences. Organizations relying on open-forms for public-facing or internal forms should consider the risk of malicious insiders or external attackers exploiting this flaw to alter data undetected. The absence of known exploits suggests limited active targeting but does not eliminate the risk of future attacks once the vulnerability details are widely known.

European organizations using open-forms should immediately upgrade to version 3.2.7 or 3.3.3 or later to apply the official patch that enforces proper server-side validation of readonly and disabled fields. Until patched, organizations should implement additional server-side input validation controls to reject unauthorized modifications of protected fields. Monitoring and logging form submissions for anomalous changes to readonly fields can help detect exploitation attempts. Restricting access to form management interfaces and applying the principle of least privilege reduces the risk of low-privilege users exploiting this issue. Additionally, organizations should conduct security reviews of custom form configurations to ensure no other client-side restrictions are relied upon without backend enforcement. User awareness and training on secure form usage and reporting suspicious behavior can further reduce risk.