Husain Parvez
Published on: July 26, 2025
A newly disclosed vulnerability in the Livewire v3 framework for Laravel could allow unauthenticated attackers to execute remote code on affected systems, security researchers have warned. Tracked as CVE-2025-54068, the flaw impacts versions 3.0.0-beta.1 through 3.6.3 and has been rated 9.2 on the CVSS v4 scale, making it critical across confidentiality, integrity, and availability metrics.
The vulnerability lies in how Livewire v3 handles property updates during the hydration process, which syncs server-side component states. The attack doesn’t require authentication or user interaction and can be executed over the network. According to the security advisory, “This makes the vulnerability particularly dangerous for internet-facing Laravel applications utilizing affected Livewire versions.”
Livewire confirmed that “the exploitation scenario requires components to be mounted and configured in a particular way,” suggesting not all installs are equally at risk, but those that meet the conditions face the potential for full system compromise. The vulnerability is specific to version 3 and does not affect earlier releases of the framework.
Experts said the flaw allows for “remote command execution through network-based attacks” with no special privileges. Although the attack complexity is high, the lack of user interaction or authentication requirements significantly increases the threat level. Livewire’s own assessment adds, “No workaround exists for this security flaw, making the patch update the only viable mitigation strategy.”
To fix the issue, the development team has released version 3.6.4 and urged all users to upgrade immediately. Detailed technical information will be shared after a responsible disclosure window to prevent exploitation of unpatched systems. Organizations are being told to include the patch in their emergency security update cycles.
Millions of Laravel-based apps that have adopted Livewire v3 could be vulnerable, especially if components are exposed to the internet. Given the potential impact and ease of exploitation under certain configurations, this is being treated as one of the most serious vulnerabilities to affect the Laravel ecosystem in recent years.
