8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pvcv-q3q7-266g

GHSA-pvcv-q3q7-266g: Filament multi-factor authentication (app) recovery codes can be used multiple times

Summary

A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.

Impact

If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-pvcv-q3q7-266g

GHSA-pvcv-q3q7-266g:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
filament/filament	composer	>= 4.0.0, < 4.3.1	4.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit 87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 clearly indicates that the vulnerability is located in the verifyRecoveryCode function within the packages/panels/src/Auth/MultiFactor/App/AppAuthentication.php file. The vulnerability description states that recovery codes can be used multiple times. The code change directly addresses this flaw. The original code would find a matching recovery code and immediately return true, without removing the used code from the user's stored recovery codes. The patched code changes this logic to ensure that once a recovery code is used, it is removed from the list of valid codes by saving a new list that excludes the used code. Therefore, any runtime profile during an exploit of this vulnerability would show the Filament\Panels\Auth\MultiFactor\App\AppAuthentication::verifyRecoveryCode function being executed.

Vulnerable functions

Filament\Panels\Auth\MultiFactor\App\AppAuthentication::verifyRecoveryCode

packages/panels/src/Auth/MultiFactor/App/AppAuthentication.php

The vulnerability lies in the `verifyRecoveryCode` function. Prior to the patch, the function would check if the provided recovery code was valid and, if so, return `true` without invalidating the code. This allowed the same recovery code to be used multiple times. The patch corrects this by iterating through all recovery codes, and if a valid one is found, it is not added to the new list of `$remainingCodes`. This new list is then saved, effectively removing the used code.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-pvcv-q3q7-266g: Filament multi-factor authentication (app) recovery codes can be used multiple times

Summary

Impact

GHSA-pvcv-q3q7-266g:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-pvcv-q3q7-266g: Filament multi-factor authentication (app) recovery codes can be used multiple times

Summary

Impact

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

8.1

8.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI