CVE-2025-67507

High

Published: 10 December 2025

Published

10 December 2025

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does…

not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly requires proper management of recovery codes as authenticators, including processes for one-time use, invalidation after use, and recovery to prevent indefinite reuse.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific flaw in Filament's recovery code handling through patching to version 4.3.1.

AU-12 Audit Record Generation partial match

detect

Requires generation of audit records for authentication events, enabling detection of repeated use of the same recovery code.

Security SummaryAI

CVE-2025-67507 is a vulnerability in Filament, a collection of full-stack components for accelerated Laravel development. It affects versions 4.0.0 through 4.3.0 and stems from improper handling of recovery codes used in app-based multi-factor authentication (MFA). Specifically, the flaw allows the same recovery code to be reused indefinitely, bypassing intended one-time-use protections. This issue does not affect email-based MFA and only applies when recovery codes are enabled. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Attackers can exploit this over the network without privileges or user interaction, though it requires high attack complexity. An unauthenticated adversary who obtains a single valid recovery code—potentially via phishing, compromise, or other means—can reuse it repeatedly to bypass app-based MFA. Successful exploitation enables unauthorized access to protected Laravel applications built with Filament, resulting in high impacts to confidentiality, integrity, and availability of affected systems.

Filament has addressed the issue in version 4.3.1. Administrators should upgrade to this patched release to mitigate the vulnerability. Additional details are available in the GitHub security advisory (GHSA-pvcv-q3q7-266g) and the fixing commit (87ff60ad9b6e16d4e14ee36a220b8917dd7b0815).

Details

CWE(s): CWE-287 CWE-288

Affected Products

filamentphp

filament

4.0.0 — 4.3.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote attackers to bypass app-based MFA in public-facing Laravel web applications built with Filament by reusing recovery codes, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815
Patch · security-advisories@github.com
https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g
Vendor Advisory · security-advisories@github.com