CVE-2025-67507

Filament's multi-factor authentication (app) recovery codes can be used multiple times

CVSS 8.1 HIGHEPSS 0.3%CWE-287 CWE-288

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

10 dez 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

filamentphp · filament

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g