AI description
CVE-2025-54068 is a remote command execution (RCE) vulnerability found in Livewire, a full-stack framework for Laravel. Specifically, it affects Livewire v3 versions up to and including v3.6.3. The vulnerability stems from how certain component property updates are handled during hydration, which could allow unauthenticated attackers to execute arbitrary code. Exploitation requires a component to be mounted and configured in a particular way but does not require authentication or user interaction. The vulnerability lies in the `hydrateForUpdate` method within the `Livewire\Mechanisms\HandleComponents\HandleComponents` class. A specially crafted update payload can bypass validation and sanitization during the hydration process, causing the framework to interpret untrusted input as executable code. This issue has been patched in Livewire v3.6.4, and users are strongly encouraged to upgrade to this version or later as soon as possible. There are no known workarounds.
- Description
- Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- livewire
CVSS 4.0
- Type
- Secondary
- Base score
- 9.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-94
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
21
🚨 RCE in #Livewire (CVE-2025-54068)! Our specialists uncovered a critical flaw allowing remote code execution without the APP_KEY, exploiting Livewire’s hydration mechanism + PHP’s loose typing. 🔗 Patch now! (v3.6.4+) https://t.co/a5dFicootF
@Synacktiv
23 Dec 2025
18886 Impressions
30 Retweets
85 Likes
49 Bookmarks
1 Reply
4 Quotes
#VulnerabilityReport #CVE202554068 Critical Livewire RCE (CVE-2025-54068) Threatens Millions of Laravel Apps – Patch Immediately! https://t.co/GChbpHJzWx
@Komodosec
26 Aug 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Livewire の脆弱性 CVE-2025-54068 が FIX:Laravel アプリに RCE の可能性 https://t.co/qVBDI2tkZy Livewire に深刻な脆弱性が発見されました特に v3 系列を使っていると、未認証の脅威アクターに攻撃される可能性があるという
@iototsecnews
4 Aug 2025
62 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 :CVE-2025-54068 : Unauthenticated Remote Command Execution in Livewire Framework v3 Up to 3.6.3 📊729.7K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/VUmfY2hURH 👇Query HUNTER : https://t.co/q9rtuGfZuz="Livewire" https:
@HunterMapping
22 Jul 2025
3264 Impressions
14 Retweets
55 Likes
23 Bookmarks
3 Replies
0 Quotes
A critical vulnerability in Livewire exposes millions of Laravel web applications to unauthenticated remote command execution attacks, compelling immediate upgrades to version 3.6.4. This flaw, CVE-2025-54068, can allow attackers to execute arbitrary commands without any user ...
@CybrPulse
21 Jul 2025
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-54068 Unauthenticated Remote Command Execution in Livewire Framework v3 Up to 3.6.3 https://t.co/Jr776uNhkq
@VulmonFeeds
17 Jul 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54068 Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command … https://t.co/2A75cODfcU
@CVEnew
17 Jul 2025
326 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-54068: CRITICAL] Warning: Vulnerability in Livewire v3 allows remote command execution. Upgrade to v3.6.4 to patch the issue. Exploitation doesn't need authentication or user interaction.#cve,CVE-2025-54068,#cybersecurity https://t.co/yGMOhl3JkQ https://t.co/n2P8kpIoo4
@CveFindCom
17 Jul 2025
89 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8A81C21A-76FA-4AF1-B265-01730D15D670",
"versionEndExcluding": "3.6.4",
"versionStartIncluding": "3.0.0"
}
],
"operator": "OR"
}
]
}
]