HIGH 8.1

GHSA-pvcv-q3q7-266g

Filament multi-factor authentication (app) recovery codes can be used multiple times

Details

A flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused indefinitely. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled.

If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / filament/filament

Introduced in: 4.0.0 Fixed in: 4.3.1

Fix composer require filament/filament:^4.3.1

References

https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-67507 [ADVISORY]
https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 [WEB]
https://github.com/filamentphp/filament [PACKAGE]