We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-54068

Livewire vulnerable to remote command execution during property update hydration



Description

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Reserved 2025-07-16 | Published 2025-07-17 | Updated 2025-07-17 | Assigner GitHub_M


CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

>= 3.0.0-beta.1, < 3.6.4
affected

References

github.com/...vewire/security/advisories/GHSA-29cq-5w36-x7w3

github.com/...ommit/ef04be759da41b14d2d129e670533180a44987dc

github.com/livewire/livewire/releases/tag/v3.6.4

cve.org (CVE-2025-54068)

nvd.nist.gov (CVE-2025-54068)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-54068

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.