CVE-2025-67507 — Filament multi-factor authentication (app) recovery codes can be used multiple t

Description

A flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused indefinitely. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.

How to fix CVE-2025-67507

To remediate CVE-2025-67507, upgrade the affected package to a fixed version below.

—upgrade to 4.3.1 or later

Is CVE-2025-67507 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.0, < 4.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67507
PATCHgithub.com/filamentphp/filament
WEBgithub.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815
WEBgithub.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g