Sign in Subscribe
Security Tips

Security Tip: Update your packages! (Yes, this again!)

[Tip #124] I know I say this all the time (especially on stage!), but apparently not everyone heard me, so here we go again...

Stephen Rees-Carter

Stephen Rees-Carter

2 min read
Security Tip: Update your packages! (Yes, this again!)

Let's talk about known vulnerabilities, and why it's so important you keep on top of package updates in the apps that we maintain. (And yes, I know, I talk about this all the time! And yet...)

In July 2025, a critical severity vulnerability was disclosed in Livewire v3 (CVE-2025-54068), and everyone was encouraged to upgrade as soon as possible. Which many people did... but not everyone.

Fast forward 5 months to December 2025, and the security team who discovered the vulnerability released a proof of concept, called Livepyre, which made it trivial to identify and exploit this vulnerability in the wild. Which happened...

This Livewire RCE (>=3; < 3.6.4) is now actively being abused with an exploit available; https://securityonline.info/critical-flaw-in-livewire-exposes-laravel-apps-to-stealthy-rce-poc-releases/ Hearing reports of: - new php files in public folder with backdoors - perl scripts active processes - weird jobs in the queue Check your version and update!
"This Livewire RCE (>=3; < 3.6.4) is now actively being abused with an exploit available;..." ~Barry vd. Heuvel

And folks started seeing the numbers 8194460 appearing on their apps... (reddit)

As soon as a vulnerability is known, attackers will start trying to exploit it. Initially, all they will have to go on are the code changes in the fixed version, but at some point a Proof of Concept will be published - either by the researchers who discovered the vulnerability, or by a third party who correctly discovers how to put together an exploit.

Setting aside the discussion about posting Proof of Concept scripts for exploiting known vulnerabilities (we can have that another time), this felt like a really good reminder for why updates are important.

I was reminded of Livepyre today when I saw another vulnerability (CVE-2026-25129) was recently disclosed, this time in the PsySH dev console that Laravel uses for Tinker. This vulnerability provides Local Privilege Escalation via a malicious .psysh.php, which is autoloaded. As part of the disclosure, a full Proof of Concept is already provided.

Update your packages, folks. Here be dragons.

If you found this security tip useful? 👍
Subscribe now to get weekly Security Tips straight to your inbox, filled with practical, actionable advice to help you build safer apps.

Want to learn more? 🤓
Upgrade to a Premium Subscription for exclusive monthly In Depth articles, or support my work with a one-off tip! Your support directly funds my security work in the Laravel community. 🥰

Need a second set of eyes on your code?
Book in a Laravel Security Audit and Penetration Test today! I also offer budget-friendly Security Reviews too.

Finally, connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.

Read more