Critical Livewire RCE (CVE-2025-54068) Threatens Millions of Laravel Apps – Patch Immediately!

A critical remote command execution (RCE) vulnerability has been discovered in Livewire, the popular full-stack framework for Laravel. Tracked as CVE-2025-54068, this flaw affects Livewire version 3.6.3 and earlier, exposing potentially millions of applications to unauthenticated exploitation.

Livewire is a full-stack framework for Laravel that allows you to build dynamic UI components without leaving PHP. This framework has nearly 53 million downloads.

The vulnerability lies in how component properties are hydrated during updates in Livewire v3. Improper validation and unsafe handling of hydrated input allow attackers to inject and execute arbitrary code—without authentication or user interaction.

“In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios,” the advisory explains.

While exploitation requires a specific component setup to be mounted and configured in a vulnerable state, no login, CSRF token, or active session is required—making this an extremely dangerous attack vector for any internet-exposed Laravel Livewire applications.

This flaw does not affect earlier versions of Livewire, including the widely used Livewire v2. However, for those using Livewire v3.x, particularly in development or production environments with custom components, the risk is significant and immediate.

The Livewire team acted swiftly to mitigate the vulnerability. A fix was rolled out in Livewire v3.6.4, and users are strongly urged to upgrade.

Unlike many vulnerabilities that allow temporary mitigation (e.g., disabling features, editing configurations), CVE-2025-54068 has no known workaround. Livewire users must update to stay secure.

Related Posts:

• Exploiting Livewire: CVE-2024-47823 Puts Laravel Apps at Risk
• CVE-2024-55661: RCE Vulnerability Discovered in Laravel Pulse Monitoring Tool
• Laravel Framework Hit by Data Exposure Vulnerability (CVE-2024-29291) – Database Credentials at Risk
• Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack