CVE-2022-25838 – Laravel Fortify before version 1.11.1 has a TOT... (How to Fix)

📋 TL;DR

Laravel Fortify before version 1.11.1 has a TOTP (Time-based One-Time Password) vulnerability where one-time codes can be reused within a short time window. This breaks the fundamental security property of TOTP authentication, potentially allowing attackers to bypass two-factor authentication. Any Laravel application using Fortify for 2FA with affected versions is vulnerable.

💻 Affected Systems

Products:

Laravel Fortify

Versions: All versions before 1.11.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Fortify's TOTP-based two-factor authentication feature. Applications not using 2FA or using other authentication methods are not vulnerable.

📦 What is this software?

Fortify by Laravel

View all CVEs affecting Fortify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can bypass two-factor authentication entirely, gaining unauthorized access to user accounts even with correct passwords, potentially leading to complete account takeover and data compromise.

🟠

Likely Case

Attackers who intercept or guess a valid TOTP code can reuse it to bypass 2FA for targeted accounts, compromising user sessions and potentially accessing sensitive application data.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to specific user accounts rather than system-wide compromise, but authentication integrity remains weakened.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user credentials first, then reuse of a recently used TOTP code. The vulnerability is well-documented in public GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.1

Vendor Advisory: https://github.com/laravel/fortify/issues/201

Restart Required: No

Instructions:

1. Update Laravel Fortify to version 1.11.1 or later using Composer: composer require laravel/fortify:^1.11.1
2. Run composer update
3. Clear Laravel cache: php artisan cache:clear
4. Test TOTP authentication functionality

🔧 Temporary Workarounds

Disable TOTP 2FA temporarily

all

Temporarily disable TOTP-based two-factor authentication until patching is complete

Modify Fortify configuration to disable 2FA features

🧯 If You Can't Patch

Implement additional authentication layers such as IP whitelisting or device fingerprinting
Increase monitoring of authentication logs for suspicious TOTP reuse patterns

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run: composer show laravel/fortify | grep version

Check Version:

composer show laravel/fortify | grep version

Verify Fix Applied:

Confirm version is 1.11.1 or higher: composer show laravel/fortify

📡 Detection & Monitoring

Log Indicators:

Multiple successful authentications with same TOTP code within short time window
Unusual authentication patterns from same user

Network Indicators:

Repeated authentication attempts with same credentials+TOTP combination

SIEM Query:

source="laravel.log" AND "authenticated" AND "two_factor" AND time_diff < 30s

📊 Metadata

CVE ID: CVE-2022-25838

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-294

Published: February 24, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/laravel/fortify/issues/201#issuecomment-1009282153 Issue Tracking,Third Party Advisory
https://github.com/laravel/fortify/issues/201#issuecomment-1009282153 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25838, you might also want to check these: