CVE-2025-54068: Livewire is vulnerable to remote command execution during component property update hydration
(updated )
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.
References
- github.com/advisories/GHSA-29cq-5w36-x7w3
- github.com/livewire/livewire
- github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc
- github.com/livewire/livewire/releases/tag/v3.6.4
- github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3
- nvd.nist.gov/vuln/detail/CVE-2025-54068
Code Behaviors & Features
Detect and mitigate CVE-2025-54068 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →