CVE-2025-54068

CRITICAL

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

CVSS v3.1 Score

9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 7/17/2025Modified: 3/20/2026

Related Intelligence (1)

HIGHVulnerability

CISA KEV: Laravel Livewire — Laravel Livewire Code Injection Vulnerability

Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.

CVE-2025-54068Laravel Livewire
CISA KEV

References (5)

https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dcPatchhttps://github.com/livewire/livewire/releases/tag/v3.6.4Release Noteshttps://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3Vendor Advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54068US Government Resourcehttps://www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioas/Third Party Advisory