What is the CVSS score of CVE-2025-54068?

CVE-2025-54068 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 16.0%.

Which versions of PHP are affected by CVE-2025-54068?

Laravel applications using Livewire v3 up to v3.6.3 are exposed to unauthenticated remote code execution, allowing attackers to gain complete control of affected servers without valid credentials.. A patch is available.

Is CVE-2025-54068 being actively exploited?

Yes, CVE-2025-54068 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-54068?

Within 24 hours: Inventory all Laravel deployments and identify those running Livewire v3 up to v3.6.3; immediately implement WAF rules blocking suspicious component hydration requests and isolate affected systems if patching cannot be completed immediately. Within 7 days: Upgrade all affected Livewire installations to v3.6.4 or later, and conduct a thorough audit of application and system logs for exploitation attempts or unauthorized access. Within 30 days: Perform full forensic review of affected systems, reset credentials, audit IAM permissions, and implement enhanced monitoring for component hydration anomalies.

PHP CVE-2025-54068

CRITICAL

Code Injection (CWE-94)

2025-07-17 security-advisories@github.com

GHSA-29cq-5w36-x7w3

PHP RCE Laravel Code Injection Livewire

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Mar 20, 2026 - 18:36 cisa

CISA KEV

Analysis Generated

Mar 20, 2026 - 16:07 vuln.today

Patch released

Mar 20, 2026 - 16:07 nvd

Patch available

CVE Published

Jul 17, 2025 - 19:15 nvd

CRITICAL 9.8

DescriptionNVD

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

AnalysisAI

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.

Technical ContextAI

Livewire is a full-stack framework for Laravel that enables reactive server-side rendering. Component state is serialized, sent to the client, and deserialized (hydrated) on subsequent requests. The vulnerability exists in how certain property updates are hydrated — attacker-controlled data can influence the hydration process to execute arbitrary PHP code. This affects Livewire v3 specifically (introduced in the v3 rewrite) and is exploitable without authentication on any page using vulnerable component patterns.

RemediationAI

Upgrade Livewire to v3.6.4 or later immediately. If unable to upgrade, review component property definitions for potentially vulnerable patterns. Rotate all secrets in .env after patching. Audit application logs for suspicious Livewire requests.

CVE-2025-54068 vulnerability details – vuln.today

Back

PHP CVE-2025-54068

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code