Livewire Flaw Puts Millions of Laravel Apps at Risk of RCE Attacks

A critical vulnerability discovered in Livewire, a popular full-stack framework for Laravel applications, exposes millions of web properties to unauthenticated remote command execution attacks.

Tracked as CVE-2025-54068, the flaw resides in Livewire versions from 3.0.0-beta.1 up to 3.6.3 and stems from the way certain component property updates are hydrated, allowing an attacker to inject and execute arbitrary commands on the server.

With no available workaround, developers and organizations leveraging Livewire v3 are urged to upgrade immediately to version 3.6.4 or later to mitigate the risk.

In Livewire’s component architecture, property hydration synchronizes client-side state with server-side properties on each request.

The vulnerability arises when a specially crafted update payload bypasses the usual validation and sanitization steps, causing the framework to interpret untrusted input ...