GHSA-pvcv-q3q7-266g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pvcv-q3q7-266g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-pvcv-q3q7-266g/GHSA-pvcv-q3q7-266g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pvcv-q3q7-266g
- Aliases
- Published
- 2025-12-09T17:19:10Z
- Modified
- 2025-12-10T16:08:31.019842Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Filament multi-factor authentication (app) recovery codes can be used multiple times
- Details
-
Summary
A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.
Impact
If an attacker gains access to both the user's password and their recovery codes, they can repeatedly complete MFA without the user's app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-12-10T01:15:52Z", "github_reviewed_at": "2025-12-09T17:19:10Z", "severity": "HIGH", "cwe_ids": [ "CWE-287", "CWE-288" ] }- References
Affected packages
Packagist / filament/filament
Package
- Name
- filament/filament
- Purl
- pkg:composer/filament/filament
Affected versions
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.3.0