Laravel Security Notice: Livewire v3 Remote Code Execution Vulnerability!
[Notice #4] Livewire v3 is vulnerable to an RCE (Remote Command Execution) during component property update hydration in specific scenarios. ⚠️ Update your Livewire ASAP! ⚠️
A CRITICAL severity vulnerability was just disclosed for Livewire v3 (≤ 3.6.3): CVE-2025-54068. It advises that a Remote Code Execution (RCE) vulnerability was found within the component property update hydration code under specific scenarios, which would allow an attacker to run arbitrary PHP code on vulnerable applications.
If you have Livewire v3 installed, you need to update to v3.6.4 immediately!
The Vulnerability
As per the GitHub Security Advisory:
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.
(I added emphasis.)
There are no known workarounds, and the specific vulnerable scenarios have not been identified - all you can do is update Livewire to the patched version ASAP.
Given this has a critical severity, no details have been shared to give folks more time to update. However, the open source nature means attackers may already be attempting to reverse-engineer the patch to identify and abuse the exploit, so don't dawdle.
Is Your App Vulnerable?
If you have livewire/livewire version >= 3.0.0-beta.1, < 3.6.4 installed, then yes, update ASAP!
The Fix
Either run a full Composer update:
composer updateOr specifically update livewire/livewire, if you have other version constraints:
composer update livewire/livewireFinal Comments
I've seen the details for this and it's a rather sneaky vulnerability that can be disastrously effective. I believe it could even be turned into an automated attack, which could allow attackers to scan for sites with a vulnerable version of Livewire and exploit it as part of an automated process - which is very concerning.
I'd like to dissect this vulnerability in a future In Depth, after a suitable disclosure period has been observed, and huge credits to the researcher(s) who found and reported this issue.
