Laravel Security Notice: Livewire v3 Remote Code Execution Vulnerability!
[Notice #4] Livewire v3 is vulnerable to an RCE (Remote Command Execution) during component property update hydration in specific scenarios. ⚠️ Update your Livewire ASAP! ⚠️
A CRITICAL severity vulnerability was just disclosed for Livewire v3 (≤ 3.6.3): CVE-2025-54068. It advises that a Remote Code Execution (RCE) vulnerability was found within the component property update hydration code under specific scenarios, which would allow an attacker to run arbitrary PHP code on vulnerable applications.
If you have Livewire v3 installed, you need to update to v3.6.4 immediately!
The Vulnerability
As per the GitHub Security Advisory:
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.
(I added emphasis.)
There are no known workarounds, and the specific vulnerable scenarios have not been identified - all you can do is update Livewire to the patched version ASAP.
Given this has a critical severity, no details have been shared to give folks more time to update. However, the open source nature means attackers may already be attempting to reverse-engineer the patch to identify and abuse the exploit, so don't dawdle.
Is Your App Vulnerable?
If you have livewire/livewire version >= 3.0.0-beta.1, < 3.6.4 installed, then yes, update ASAP!
UPDATE 2025-07-21
Run composer audit and check the output.
The livewire/livewire package may be installed by one of your dependencies, such as Filament or Laravel Pulse, and not show up in your composer.json file.
You can check this by running composer show to list all installed packages, or composer show livewire/livewire to check it directly. If the package is installed, it will return details about the package, and an error if it's not installed. You can also use composer why livewire/livewire --tree to see what package(s) are requiring it.
The Fix
Either run a full Composer update:
composer updateOr specifically update livewire/livewire, if you have other version constraints:
composer update livewire/livewireNote that composer update livewire/livewire may not update the package if other packages have locked version. So verify you see version 3.6.4 (or higher) being installed - and if not, check your other dependencies or run composer update.
Final Comments
I've seen the details for this and it's a rather sneaky vulnerability that can be disastrously effective. I believe it could even be turned into an automated attack, which could allow attackers to scan for sites with a vulnerable version of Livewire and exploit it as part of an automated process - which is very concerning.
I'd like to dissect this vulnerability in a future In Depth, after a suitable disclosure period has been observed, and huge credits to the researcher(s) who found and reported this issue.
