Remote Command Execution Vulnerability in Livewire Framework from Laravel
CVE-2025-54068

9.2CRITICAL

Key Information:

Vendor

Livewire

Status
Livewire
Vendor
CVE Published:
17 July 2025

What is CVE-2025-54068?

In Livewire up to and including version 3.6.3, a vulnerability exists that allows unauthenticated attackers to execute commands remotely in certain configurations. This issue is caused by specific component property updates that are not adequately secured. Importantly, exploitation of this vulnerability does not necessitate authentication or user interaction, making it particularly concerning for users of Livewire v3. It is strongly advised that all users upgrade to Livewire version 3.6.4 or later to mitigate this risk, as no alternative workarounds are available.

Affected Version(s)

livewire >= 3.0.0-beta.1, < 3.6.4

References

https://github.com/livewire/livewire/security/advisories/...
x_refsource_CONFIRM
https://github.com/livewire/livewire/commit/ef04be759da41...
x_refsource_MISC
https://github.com/livewire/livewire/releases/tag/v3.6.4
x_refsource_MISC

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-54068 : Remote Command Execution Vulnerability in Livewire Framework from Laravel