HIGH 8.1

GHSA-pvcv-q3q7-266g

Filament multi-factor authentication (app) recovery codes can be used multiple times

상세

A flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused indefinitely. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled.

If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / filament/filament

최초 영향 버전: 4.0.0 수정 버전: 4.3.1

수정 composer require filament/filament:^4.3.1

참고

https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-67507 [ADVISORY]
https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 [WEB]
https://github.com/filamentphp/filament [PACKAGE]