Volerion logoVolerion
Volerion logoVolerion

Filament App-Based Multi-Factor Authentication Recovery Code Reuse Vulnerability

Vulnerability

A vulnerability exists in Filament versions 4.0.0 prior to 4.3.1 in the handling of recovery codes for app-based multi-factor authentication (MFA). This flaw allows the same recovery code to be reused indefinitely, creating a static bypass for MFA. The issue does not impact email-based MFA and only arises when recovery codes are enabled.

Impact

The vulnerability allows recovery codes to be reused indefinitely, creating a persistent bypass for app-based multi-factor authentication. This could lead to unauthorized access if an attacker obtains both the user's password and recovery codes, allowing them to bypass the MFA requirement.

Reproduction

To reproduce this vulnerability, enable app-based multi-factor authentication and recovery codes in Filament versions 4.0.0 through 4.3.0. After generating recovery codes, use one of them to authenticate. The same code can be used multiple times, bypassing the intended one-time use requirement.

Remediation

Users can upgrade to Filament version 4.3.1 or later, where this vulnerability has been fixed.

Added: Dec 10, 2025, 1:17 AM
Updated: Dec 10, 2025, 1:17 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
5.0
exploitability
8.6
remediation
7.7
relevance
1.3
threat
4.8
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.