CVE-2025-67507
Published: 10 December 2025
Summary
CVE-2025-67507 is a high-severity Improper Authentication (CWE-287) vulnerability in Filamentphp Filament. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires proper management of recovery codes as authenticators, including processes for one-time use, invalidation after use, and recovery to prevent indefinite reuse.
Mandates timely identification, reporting, and correction of the specific flaw in Filament's recovery code handling through patching to version 4.3.1.
Requires generation of audit records for authentication events, enabling detection of repeated use of the same recovery code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote attackers to bypass app-based MFA in public-facing Laravel web applications built with Filament by reusing recovery codes, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does…
more
not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1.
Deeper analysisAI
CVE-2025-67507 is a vulnerability in Filament, a collection of full-stack components for accelerated Laravel development. It affects versions 4.0.0 through 4.3.0 and stems from improper handling of recovery codes used in app-based multi-factor authentication (MFA). Specifically, the flaw allows the same recovery code to be reused indefinitely, bypassing intended one-time-use protections. This issue does not affect email-based MFA and only applies when recovery codes are enabled. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Attackers can exploit this over the network without privileges or user interaction, though it requires high attack complexity. An unauthenticated adversary who obtains a single valid recovery code—potentially via phishing, compromise, or other means—can reuse it repeatedly to bypass app-based MFA. Successful exploitation enables unauthorized access to protected Laravel applications built with Filament, resulting in high impacts to confidentiality, integrity, and availability of affected systems.
Filament has addressed the issue in version 4.3.1. Administrators should upgrade to this patched release to mitigate the vulnerability. Additional details are available in the GitHub security advisory (GHSA-pvcv-q3q7-266g) and the fixing commit (87ff60ad9b6e16d4e14ee36a220b8917dd7b0815).
Details
- CWE(s)