CVE-2025-67507 HIGH

CVE-2025-67507: Filament's multi-factor authentication (app) recovery codes can be used multiple times

Vendor Filamentphp
Product filament
Weakness CWE-287 · Improper authentication
Published December 10, 2025
Last update December 10, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.

Key dates

02Disclosure timeline

December 10, 2025 CVE published
December 10, 2025 Record updated