CVE-2025-67507
Filament multi-factor authentication (app) recovery codes can be used multiple times
8.1
HIGH
CVSS 3.1
EPSS 0.07%
描述
A flaw in the handling of recovery codes for **app-based multi-factor authentication** allows the same recovery code to be reused indefinitely. This issue does **not** affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.
如何修補 CVE-2025-67507
要修補 CVE-2025-67507,請將受影響套件升級到下列已修補版本。
- —升級至 4.3.1 或更新版本
CVE-2025-67507 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 4.0.0, < 4.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |