GHSA-pvcv-q3q7-266g: Filament multi-factor authentication (app) recovery codes can be used multiple times

December 9, 2025

A flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled.

References

github.com/advisories/GHSA-pvcv-q3q7-266g
github.com/filamentphp/filament
github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815
github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g

Code Behaviors & Features

Detect and mitigate GHSA-pvcv-q3q7-266g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →