High severityOSV Advisory· Published Dec 10, 2025· Updated Dec 10, 2025
Filament's multi-factor authentication (app) recovery codes can be used multiple times
CVE-2025-67507
Description
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
filament/filamentPackagist | >= 4.0.0, < 4.3.1 | 4.3.1 |
Affected products
2- Range: v4.0.0, v4.0.1, v4.0.10, …
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-pvcv-q3q7-266gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67507ghsaADVISORY
- github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815ghsax_refsource_MISCWEB
- github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.