8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67507

CVE-2025-67507: Filament multi-factor authentication (app) recovery codes can be used multiple times

Summary

A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.

Impact

If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67507

CVE-2025-67507:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
filament/filament	composer	>= 4.0.0, < 4.3.1	4.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit 87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 clearly indicates that the vulnerability is located in the verifyRecoveryCode method of the Filament\Panels\Auth\MultiFactor\App\AppAuthentication class. The vulnerability allowed for the reuse of multi-factor authentication recovery codes because the function would validate a code without subsequently invalidating it. An attacker who had compromised a user's password and their recovery codes could therefore maintain persistent access. The patch rectifies this by ensuring that once a recovery code is used, it is removed from the list of valid codes for the user, thus preventing its reuse. The added test case in the commit further confirms this was the intended fix for the security flaw.

Vulnerable functions

Filament\Panels\Auth\MultiFactor\App\AppAuthentication::verifyRecoveryCode

packages/panels/src/Auth/MultiFactor/App/AppAuthentication.php

The vulnerability exists in the `verifyRecoveryCode` function. Before the patch, the function would check if the provided recovery code was valid and, if so, return `true` without invalidating the code. This meant the same recovery code could be used multiple times, defeating the purpose of single-use recovery codes. The patch corrects this by iterating through the codes, and upon finding a valid one, it saves the remaining codes back to the user, effectively removing the one that was just used.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67507: Filament multi-factor authentication (app) recovery codes can be used multiple times

Summary

Impact

CVE-2025-67507:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.1

8.1

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-67507: Filament multi-factor authentication (app) recovery codes can be used multiple times

Summary

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI