CVE-2025-67507

Filament's multi-factor authentication (app) recovery codes can be used multiple times

CVSS 8.1 HIGHEPSS 0.3%CWE-287 CWE-288

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

10 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

filamentphp · filament

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g