A critical Remote Code Execution (RCE) vulnerability (CVE-2025-54068, CVSS 9.2) has been discovered in Livewire v3 that puts potentially millions of Laravel applications at risk of compromise. The flaw allows unauthenticated attackers to execute code on vulnerable web servers remotely.
The Problem
The vulnerability resides in how Livewire v3 handles component state updates—specifically, its hydration mechanism. This flaw allows an attacker to manipulate server-side processes to achieve remote command execution without needing any user interaction or login credentials.
While the attack complexity is rated as high (requiring a specific component configuration), the lack of authentication or user interaction makes this an extremely dangerous, network-based threat.
Affected Systems
- Product: Livewire v3 framework
- Affected Versions: 3.0.0-beta.1 through 3.6.3
- Impact: Complete system compromise (Confidentiality, Integrity, and Availability).
The Fix
- There is no viable workaround. Users must treat this as an emergency.
- All users running affected versions of Livewire v3 must upgrade immediately to version 3.6.4.
Key Takeaways
- The Threat: RCE flaw in Livewire v3 allows attackers to take control of Laravel web apps.
- The Danger: No authentication or user interaction is required for exploitation.
- The Scope: Affects millions of applications running versions 3.0.0-beta.1 through 3.6.3.
- The Action: Patch immediately to Livewire v3.6.4.
Mourad Maacha 
Leave a comment