Headline
GHSA-pvcv-q3q7-266g: Filament multi-factor authentication (app) recovery codes can be used multiple times
Summary
A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.
Impact
If an attacker gains access to both the user’s password and their recovery codes, they can repeatedly complete MFA without the user’s app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-pvcv-q3q7-266g
Filament multi-factor authentication (app) recovery codes can be used multiple times
High severity GitHub Reviewed Published Dec 9, 2025 in filamentphp/filament • Updated Dec 9, 2025
Package
composer filament/filament (Composer)
Affected versions
>= 4.0.0, < 4.3.1
Summary
A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.
Impact
If an attacker gains access to both the user’s password and their recovery codes, they can repeatedly complete MFA without the user’s app-based second factor. This weakens the expected security of MFA by turning recovery codes into a static, long-term bypass method.
References
- GHSA-pvcv-q3q7-266g
- filamentphp/filament@87ff60a
Published to the GitHub Advisory Database
Dec 9, 2025